DPO Sax­o­ny: Enforce­ment of the GDPR against con­trol­lers in third countries

In his report, the Saxon data pro­tec­tion com­mis­sio­ner has Acti­vi­ty Report for the report­ing year 2019 com­men­ted in an inte­re­st­ing way on the “enforce­ment of the GDPR due to the ter­ri­to­ri­al scope vis-à-vis con­trol­lers in third countries”:

Pur­su­ant to Artic­le 3(2) of the GDPR, con­trol­lers in third count­ries are also sub­ject to the scope of the Regu­la­ti­on. At my ser­vice go Num­e­rous com­plaints against com­pa­nies based out­side the Euro­pean Uni­on one. To the ext­ent that data con­trol­lers have not appoin­ted a repre­sen­ta­ti­ve pur­su­ant to Artic­le 27 GDPR, influen­cing the data con­trol­ler in its imple­men­ta­ti­on is prac­ti­cal­ly dif­fi­cult. Moreo­ver, inso­far as mea­su­res are to be taken vis-à-vis the­se con­trol­lers, a Admi­ni­stra­ti­ve assi­stance pro­ce­du­re and to initia­te a pro­ce­du­re through diplo­ma­tic chan­nels via the for­eign mis­si­ons of the Fede­ral Repu­blic of Ger­ma­ny. Curr­ent­ly, I inform the com­plainants that – in the absence of inter­go­vern­men­tal agree­ments – I do not see any pos­si­bi­li­ties to enforce my legal posi­ti­ons or orders..