3rd, a controller or processor not established in the EU might be issue to the GDPR if it processes the non-public data of knowledge subjects in the EU Which processing is related to the “checking” within the EU of the “actions” of information topics as their habits will take position https://cybersecurityinriskmanagement.blogspot.com/2024/08/web-application-security-testing-in-usa.html