Third, a controller or processor not proven during the EU will likely be subject matter on the GDPR if it procedures the personal knowledge of knowledge topics inside the EU and that processing is connected with the “monitoring” inside the EU from the “conduct” of knowledge subjects as their conduct https://cybersecurityriskmanagementinusa.blogspot.com/2024/08/web-application-security-testing-in-usa.html
