The new European General Data Protection Regulation (GDPR) [(EU) 2016/679], which is valid as of May 25th, 2018, has introduced the obligation to designate a representative within the EU for companies processing data in the EU but being located abroad.
Companies that do not have an office in the EU yet provide their products or services within the European Union must appoint a representative in the Union if they process personal data (GDPR Art. 27(1)).
The GDPR extends its territorial scope to processors and controllers who have their registered office outside of the European Union but process personal data of data subjects (an identified or identifiable natural person) who are in the Union (Art. 3(2) GDPR). The focus is therefore not set on where the company is located and where the processing takes place as long as the processed data involve individuals residing in the European Union.
This regulation also applies to services that are offered for free. In addition, it applies to non-EU-based companies that monitor the behaviour of EU residents (e.g. by creating a profile), as long as their behaviour takes place in the EU.
There is one exemption where a non-EU company is not required to have an EU representative: If a company processes personal data only ‘occasionally’, and this processing is unlikely to result in a risk to the rights and freedoms of natural persons, then this company will be exempted. (What exactly constitutes ‘occasionally’ remains to be defined.)
It is important to note that if a company decides not to need a representative, it must evaluate this decision and document it. The company has to prove that the processing of personal data is only occasionally.
Any natural or legal person who resides in one of the EU Member States can be designated as a representative in the Union for a non-EU-based company (Art. 4(17) GDPR).
Given the EU representatives serve as the main contact persons for anything concerning the company’s processing of personal data under the GDPR, they need to be capable of communicating efficiently with the data subjects and cooperating effectively with the relevant data protection supervisory authorities.
The role of the EU representative should not be confused with that of the DPO (Data Protection Officer). Representatives of non-EU companies will not be required to assess GDPR compliance.
The representative acts on behalf of the controller or processor regarding their obligations under GDPR. The representative acts as a direct contact to the supervisory authorities and data subjects (Users / Customers), while also being an authorized agent to receive legal documents.
Additional tasks of the representative include maintaining records of processing activities (Art. 30(1) and (2) GDPR) and – where applicable – making the records available to the supervisory authority (Art. 30(4) GDPR).
It is also important to note that the appointment of a representative does in no way replace or limit the responsibilities of the company located in a country outside of the European Union. The Controller or Processor is always accountable.
Not sure your company needs an EU Representative? We’re here to help and guide you through the scope and responsibilities of the GDPR.
Together with our partner Digital Compliance Consulting GmbH we can offer the full range of data privacy consulting, based on multiple appointments as external data protection officers for a wide range of companies and a considerable experience in communicating with supervisory authorities all over Europe.