3rd, a controller or processor not founded during the EU might be issue towards the GDPR if it processes the private knowledge of information topics inside the EU and that processing is connected with the “checking” in the EU in the “actions” of knowledge subjects as their conduct normally takes https://sites.google.com/view/gdpr-compliance-in-usa/