The GDPR has a very broad scope of application: companies doing business within the EU will often be subject to the GDPR, even if they have no establishments in the EU. The GDPR applies already when a non-EU company offers goods or services to individuals in the EU or monitors their behavior.
All companies without establishments in the EU offering goods or services (even if for free) to, or monitoring the behavior of individuals in the EU will need to appoint an EU representative according to Article 27 GDPR, regardless of whether the companies are considered controllers or processors under the GDPR. The threshold is very low: offering services to the EU via a website directed to EU users will generally trigger the requirement to appoint an EU representative.
Examples of use cases include:
- delivery of goods or services to the EU, EU currencies are accepted or local languages of EU member states are used,
- search engine marketing campaigns targeting EU markets,
- user tracking of EU residents, e.g. via cookies or device fingerprints,
- products with an international nature, such as in the transport and travel industry,
- performance of clinical trials or market surveys in the EU.
The EU representative shall act as local contact point for EU individuals and EU data protection supervisory authorities, and represent the non-EU company with regard to their respective obligations under the GDPR.
For example, service of process or administrative notifications delivered to the EU representative can have legal effect for the non-EU company. GDPR representatives should therefore have experience with EU data protection laws in order to assess risks.
The EU representative:
- needs to be designated in writing,
- shall act on behalf of the company and therefore needs power of attorney,
- maintains records of processing activities (Article 30 GDPR) of the company,
- needs to be established in one of the EU member states where the data subjects affected by the activity of the company are located and acts for the whole EU. It is not necessary to appoint separate representatives for each EU member state.
Companies which have appointed an EU representative benefit from a one stop shop in case they are required to report data breaches to the supervisory authorities pursuant to Article 33 GDPR. In case of cross-border incidents, companies without an EU establishment are otherwise required to roll out multilingual reporting to various national authorities throughout the EU. The one stop shop can therefore be a great relief, particularly considering that notifications must be made within 72 hours after becoming aware of the incident.
The obligation of appointing an EU representative does not apply to cases where the legislator anticipates a small risk from a privacy perspective. This is the case if processing only takes place occasionally, no sensitive personal data is involved, and the processing is unlikely to result in a risk to the rights and freedoms of individuals. All these conditions have to be met cumulatively; therefore it is very rare that a non-EU company falling into the territorial scope of the GDPR can benefit from that exception.
We’re happy to offer our service as a subcontractor to law firms and data protection advisors, please don’t hesitate to contact us!