Third, a controller or processor not established within the EU will likely be topic to your GDPR if it processes the personal info of data subjects while in the EU Which processing is connected to the “monitoring” while in the EU of the “habits” of data subjects as their actions https://cyber-security-consulting-in-usa.mystrikingly.com/blog/data-privacy-compliance-in-saudi-arabia