The GDPR has a very broad scope of application; companies doing business within the EU will often be subject to the GDPR, even if they have no establishments in the EU. The GDPR applies already when a Non-EU company offers goods or services to individuals in the EU or monitors their behavior (Art. 3 sec. 2 GDPR).
- without establishment in the EU
- offering goods or services (even if for free) to, or monitoring the behavior of individuals in the EU
will need to appoint an EU representative according to Art. 27 GDPR, regardless of whether the companies are considered controllers or processors under the GDPR.
The threshold is very low: offering services to the EU via a website directed to EU users (e.g. because goods/services are delivered to the EU, EU currency is accepted or EU languages are used) will generally trigger the requirement to appoint an EU representative. Same applies to any user tracking of EU residents, e.g. via cookies.
The EU representative shall act as local contact point for EU individuals and EU data protection supervisory authorities, and represent the Non-EU company with regard to their respective obligations under the GDPR (Art. 4 No. 17 GDPR).
The following requirements have to be met:
- The EU representative needs to be designated in writing.
- The EU representative shall act on behalf of the Non-EU company and therefore needs to have power of representation.
- The EU representative needs to be established in one of the EU member states where the data subjects affected by the activity of the Non-EU company are located. It is not necessary to appoint an EU representative for each EU member state.
If a Non-EU company needs to appoint an EU representative but fails to do so, this may lead to fines of up to EUR 10,000,000.00 or 2% of Non-EU company’s annual group turnover, whatever is higher.
The obligation of appointing an EU representative does not apply to cases where the legislator anticipates a small risk from a privacy perspective. This is the case if processing only takes place occasionally, no sensitive personal data is involved, and the processing is unlikely to result in a risk to the rights and freedoms of individuals.
All these conditions have to be met cumulatively; therefore it is very rare that a Non-EU company falling into the territorial scope of the GDPR can benefit from that exception.