DSGVO EU-Vertreter
Representative
Skip to main content

GDPR EU-Representative

for companies without EU establishments

Extended scope of the GDPR

The GDPR has a very broad scope of application; companies doing business within the EU will often be subject to the GDPR, even if they have no establishments in the EU. The GDPR applies already when a Non-EU company offers goods or services to individuals in the EU or monitors their behavior (Art. 3 sec. 2 GDPR).

Who has to appoint a representative under the GDPR?

All companies

  • without establishment in the EU
  • offering goods or services (even if for free) to, or monitoring the behavior of individuals in the EU

will need to appoint an EU representative according to Art. 27 GDPR, regardless of whether the companies are considered controllers or processors under the GDPR.

The threshold is very low: offering services to the EU via a website directed to EU users (e.g. because goods/services are delivered to the EU, EU currency is accepted or EU languages are used) will generally trigger the requirement to appoint an EU representative. Same applies to any user tracking of EU residents, e.g. via cookies.

Duties of the Representative

The EU representative shall act as local contact point for EU individuals and EU data protection supervisory authorities, and represent the Non-EU company with regard to their respective obligations under the GDPR (Art. 4 No. 17 GDPR).

The following requirements have to be met:

  • The EU representative needs to be designated in writing.
  • The EU representative shall act on behalf of the Non-EU company and therefore needs to have power of representation.
  • The EU representative needs to be established in one of the EU member states where the data subjects affected by the activity of the Non-EU company are located. It is not necessary to appoint an EU representative for each EU member state.

Fines

If a Non-EU company needs to appoint an EU representative but fails to do so, this may lead to fines of up to EUR 10,000,000.00 or 2% of Non-EU company’s annual group turnover, whatever is higher.

Non-compliance with the obligation to appoint an EU representative is very easily visible, as the contact data of the EU representative generally needs to be provided within the privacy policy.

Exemptions

The obligation of appointing an EU representative does not apply to cases where the legislator anticipates a small risk from a privacy perspective. This is the case if processing only takes place occasionally, no sensitive personal data is involved, and the processing is unlikely to result in a risk to the rights and freedoms of individuals.

All these conditions have to be met cumulatively; therefore it is very rare that a Non-EU company falling into the territorial scope of the GDPR can benefit from that exception.