Extended scope of the GDPR
The GDPR has a very broad scope of application: companies doing business within the EU will often be subject to the GDPR, even if they have no establishments in the EU. The GDPR applies already when a non-EU company offers goods or services to individuals in the EU or monitors their behavior.
Who has to appoint a representative under the GDPR?
All companies without establishments in the EU offering goods or services (even if for free) to, or monitoring the behavior of individuals in the EU will need to appoint an EU representative according to Article 27 GDPR, regardless of whether the companies are considered controllers or processors under the GDPR. The threshold is very low: offering services to the EU via a website directed to EU users will generally trigger the requirement to appoint an EU representative.
Examples of use cases include:
- delivery of goods or services to the EU, EU currencies are accepted or local languages of EU member states are used,
- search engine marketing campaigns targeting EU markets,
- user tracking of EU residents, e.g. via cookies or device fingerprints,
- products with an international nature, such as in the transport and travel industry,
- performance of clinical trials or market surveys in the EU.
Duties and role of the representative
The EU representative shall act as local contact point for EU individuals and EU data protection supervisory authorities, and represent the non-EU company with regard to their respective obligations under the GDPR.
For example, service of process or administrative notifications delivered to the EU representative can have legal effect for the non-EU company. GDPR representatives should therefore have experience with EU data protection laws in order to assess risks.
The EU representative:
- needs to be designated in writing,
- shall act on behalf of the company and therefore needs power of attorney,
- maintains records of processing activities (Article 30 GDPR) of the company,
- needs to be established in one of the EU member states where the data subjects affected by the activity of the company are located and acts for the whole EU. It is not necessary to appoint separate representatives for each EU member state.
Fines
If a Non-EU company needs to appoint an EU representative but fails to do so, this may lead to fines of up to EUR 10,000,000.00 or 2% of Non-EU company’s annual group turnover, whatever is higher. Non-compliance with the obligation to appoint an EU representative is very easily visible, as the contact data of the EU representative generally needs to be provided within the privacy policy. In May 2021, the Data Protection Authority of the Netherlands imposed a fine of EUR 525,000 on a US-based website provider due to its failure to comply with the GDPR representative obligation.
Exemptions
The obligation of appointing an EU representative does not apply to cases where the legislator anticipates a small risk from a privacy perspective. This is the case if processing only takes place occasionally, no sensitive personal data is involved, and the processing is unlikely to result in a risk to the rights and freedoms of individuals. All these conditions have to be met cumulatively; therefore it is very rare that a non-EU company falling into the territorial scope of the GDPR can benefit from that exception.