According to GDPR Article 3 (2), organisations that are not located in the EU, but processing the personal data of persons located in the EU for the purpose of the offering of goods or services (irrespective of whether a payment of the data subject is required) and/or monitoring their behaviour as far as their behaviour takes place within the Union, must comply with the GDPR. This applies both to controllers and processors.
Such a non-EU controller or processor shall designate a local representative in the EU.
