- Data controllers in third countries fall within the scope of the Regulation pursuant to Art. 3 (2) GDPR.
- Without a designated representative in accordance with Art. 27 GDPR, enforcement against third country controllers is practically difficult.
- Without intergovernmental agreements, administrative assistance and diplomatic procedures are necessary; enforcement options currently limited.
In his report, the Saxon data protection commissioner has Activity Report for the reporting year 2019 commented in an interesting way on the “enforcement of the GDPR due to the territorial scope vis-à-vis controllers in third countries”:
Pursuant to Article 3(2) of the GDPR, controllers in third countries are also subject to the scope of the Regulation. At my service go Numerous complaints against companies based outside the European Union one. To the extent that data controllers have not appointed a representative pursuant to Article 27 GDPR, influencing the data controller in its implementation is practically difficult. Moreover, insofar as measures are to be taken vis-à-vis these controllers, a Administrative assistance procedure and to initiate a procedure through diplomatic channels via the foreign missions of the Federal Republic of Germany. Currently, I inform the complainants that – in the absence of intergovernmental agreements – I do not see any possibilities to enforce my legal positions or orders..