In his report, the Saxon data protection commissioner has Activity Report for the reporting year 2019 commented in an interesting way on the “enforcement of the GDPR due to the territorial scope vis-à-vis controllers in third countries”:
Pursuant to Article 3(2) of the GDPR, controllers in third countries are also subject to the scope of the Regulation. At my service go Numerous complaints against companies based outside the European Union one. To the extent that data controllers have not appointed a representative pursuant to Article 27 GDPR, influencing the data controller in its implementation is practically difficult. Moreover, insofar as measures are to be taken vis-à-vis these controllers, a Administrative assistance procedure and to initiate a procedure through diplomatic channels via the foreign missions of the Federal Republic of Germany. Currently, I inform the complainants that – in the absence of intergovernmental agreements – I do not see any possibilities to enforce my legal positions or orders..