From the list of issues, we have derived sixteen “core concepts”, which can provide solutions via high-level principles and rules.

Ideally, these concepts should be abstract enough to capture many problems, with a simple rule or principle that can be included in various provisions throughout the new Regulation.

When developing these principles, we have actively considered existing mechanisms in EU law, such as instruments in procedural rules, which seem to have many common features with GDPR procedures.

Concept 13: European enforcement

Currently there is no option for cross-country enforcement under GDPR. Especially for third-country controllers or processors, this means that the SA at the place of the complaint or any ex officio investigation can easily be frustrated when such decisions are simply not enforceable, because any assets or processing systems are in another European jurisdiction.

Equally, when a controller moves the main establishment to another Member State, the previous LSA may be unable to enforce a decision, as there may not be any assets left in the Member States.

Some SAs even reject to investigate complaints, claiming that they would be unable to enforce complaints against controllers outside of their territory anyways (see e.g. Luxembourg).

In particular, enforcement actions at the place of IT infrastructure or third party enforcement (e.g. enforcing a financial penalty against the bank of the controller with a branch in the Union) often require the enforcement of a decision outside of the national boundaries of the decision making SA. Similar to the Brussels-I-Regulation or Council Framework Decisions on traffic fines, such an enforcement option needs to be added to GDPR to ensure that cross-country cases are not only decided, but also have a realistic option to be enforced.


  • Adding an element to the Regulation would allow that SAs can enforce their decisions throughout the Union and are not limited to their boundaries.


  • The enforcement of foreign decisions is usually a delicate matter, but given that the GDPR forms harmonised material law and the OSS system allows all CSAs to intervene in a joint European decision process, it seems that GDPR enforcement lends itself to European enforcement.