The other is when you are processing personal data of EU data subjects that is related to "the monitoring of their behaviour as far as their behaviour takes place within the Union".
There's a recital that adds:
> In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
Unlike the recital that explains the goods and services case, which talks about it only applying if you envisage offering goods and services in the Union as opposed to your site merely being accessible from the Union, the monitoring case doesn't seem to have any requirement that you are intending to monitor EU data subjects.
That's pretty broad as written. From what the recital says it even applies if you are gathering data the could be used for profiling even if you are not actually currently profiling.
As noted in the article at gdpr.eu that a parallel commenter cited:
> If your organization uses web tools that allow you to track cookies or the IP addresses of people who visit your website from EU countries, then you fall under the scope of the GDPR. Practically speaking, it’s unclear how strictly this provision will be interpreted or how brazenly it will be enforced. Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.
