If the organization is established within the EEA, then the processing of the personal data will fall under the GDPR regime, regardless of whether the data relates to data subjects outside of the EEA or whether they have been collected/processed outside of the EEA or not (Art. 3(1)). Additionally, the GDPR will also apply if the offering of goods and services, as well as the monitoring of behavior takes place within the EEA (Art.3(2)(a) and Art.3(2)(b)), regardless of whether the data controller or processor are located within the EEA. GDPR also applies for data processing of personal data in places where “Member State law applies by virtue of public international law” (Art.3(3)) even if the data controller is not located in the EU.
If data is transferred outside of the EEA, the data subject should also be notified, and this international data transfer should be supported by some mechanism to make it lawful (Art.14(1) (f)) (See “Section Transfer of Data to Third Parties” in the “Main tools and Actions” Section of these Guidelines)