Representatives for third country companies

Any company that offers goods or services in the EU but is not established in the EU, i.e.

• does not have a branch or subsidiary in the EU,
• does not have an office and a production or sales site or other branch in a Member State of the EU, and
• has no other permanent facilities in the EU,

but wishes to offer or carry out data processing or monitoring in the EU must appoint a representative pursuant to Article 27 of the GDPR to whom the supervisory authorities and the data subjects can turn. This regulation is important for companies from the USA or Switzerland, for example. The use of EU-typical language on the website, the use of a country-specific domain extension such as .de or the acceptance of the euro as a means of payment already indicates an offer for which a representative must be appointed in accordance with Article 27 of the GDPR. The same applies to cookies, trackers and localisations in apps.

The GDPR provides for the so-called market place principle in Article 3(2) of the GDPR. If non-European organisations process personal data of European citizens, they fall within the scope of the GDPR and must provide a representative who can be reached within Europe in order to fulfil claims arising from the GDPR.

The representative's task is primarily that of a contact person. He therefore receives enquiries and documents for the third-country company and ensures that they are answered by his principal; he can thus also make legally effective declarations in the external relationship. However, the representative is not responsible for compliance with data protection regulations, nor is he liable for the processing procedures in the commissioning company. In most cases, he will transmit the requests from the EU to the data protection officer in the third country and return the answers to the requester. If necessary, he must also provide translation services in between so that the two parties to the request understand each other. The tasks of the data protection officer are much more extensive in comparison.

The GDPR does not define any direct requirements. However, since the representative must be able to speak to the supervisory authorities, you should look for expertise in data protection law, reliability and suitable multilingualism. In addition, the representative should have knowledge of the company, its data processing operations and data flows, as well as experience in dealing and cooperating with authorities. Appointing an unsuitable or non-existent person as a representative under Article 27 GDPR or not having a registered office in the specified country is, by the way, equivalent to not appointing such a representative - and can lead to heavy fines.

Only one EU-wide representative is required. Due to the different languages and cultural differences in the individual EU states, it might make sense to appoint several representatives.

The EU representative must be appointed in writing by the controller or processor. Pursuant to Articles 13 and 14 of the GDPR, data subjects must be informed of the existence of an EU representative, therefore the indication of the EU representative must be included in any privacy statement. In addition, the contact person should be listed in the register of processing activities pursuant to Article 30 of the GDPR.

The supervisory authorities can enforce the appointment of an EU representative and, if necessary, impose a fine. As with all violations of the GDPR, this can be very high and, according to Article 83 of the GDPR, can amount to up to 10 million euros or up to 2% of the total annual turnover achieved worldwide in the previous business year. It is also possible that proceedings for unfair competition may be instituted.