Representatives for third country companies

under Article 27 GDPR

Datenschutzberatung Würzburg
Page Content

    Many companies based in the EU and subject to the strict data protection regulations of the GDPR wonder, which rules providers from third countries outside the European Union actually have to adhere to. The answer: They have to appoint an EU representative who has to organise information on the compliance with the GDPR regulations of the respective company!

    That means: If personal data of individuals from the European Union is processed by a controller or processor not established in the Union and the data processing is related to

    1. offer goods or services, whether for consideration or not, to data subjects in the Union, or
    2. monitor the behaviour of data subjects (tracking, profiling) insofar as their behaviour takes place in the Union,

    the controller or processor must designate in writing a representative in the European Union. Only public authorities, public bodies and the only occasional processing of non-personally traceable, less sensitive data pursuant to Articles 9 and 10 of the GDPR are exempt from this obligation; pure data transfers via European routers without knowledge or processing are also excluded. Every small online shop that collects address data already exceeds this limit! The representative is a natural or legal person (Art. 4 No. 17 DSGVO) and must be established in one of the EU states in which the persons affected by the processing or observation are also located.

    The EU representative serves as a point of contact for data subjects as well as supervisory authorities on all issues arising in connection with data processing under the GDPR. In addition, he is the authorised representative for the receipt of legal documents and thus, as the representative of the principal, responsible for the organisation with regard to the legal obligations of the GDPR. This includes, among other things, the receipt and forwarding of data subject requests (e.g. for data access or deletion) or the provision of information or the provision of the list of processing activities and further information pursuant to Article 58(1)(a) GDPR to the supervisory authority. A certain expertise in the area of data protection and the GDPR is therefore definitely useful.

    info

    Also important:

    Legal responsibility remains with the principal of the representative, against whom any legal action will be taken directly.

    FAQ

    Frequently asked questions about the EU representative

    Who needs a representative according to Art. 27 GDPR?

    Any company that offers goods or services in the EU but is not established in the EU, i.e.

    • does not have a branch or subsidiary in the EU,
    • does not have an office and a production or sales site or other branch in a Member State of the EU, and
    • has no other permanent facilities in the EU,

    but wishes to offer or carry out data processing or monitoring in the EU must appoint a representative pursuant to Article 27 of the GDPR to whom the supervisory authorities and the data subjects can turn. This regulation is important for companies from the USA or Switzerland, for example. The use of EU-typical language on the website, the use of a country-specific domain extension such as .de or the acceptance of the euro as a means of payment already indicates an offer for which a representative must be appointed in accordance with Article 27 of the GDPR. The same applies to cookies, trackers and localisations in apps.

    Why does the representative need to be appointed under Article 27 GDPR?

    The GDPR provides for the so-called market place principle in Article 3(2) of the GDPR. If non-European organisations process personal data of European citizens, they fall within the scope of the GDPR and must provide a representative who can be reached within Europe in order to fulfil claims arising from the GDPR.

    What is the difference between the Article 27 representative and the Data Protection Officer?

    The representative's task is primarily that of a contact person. He therefore receives enquiries and documents for the third-country company and ensures that they are answered by his principal; he can thus also make legally effective declarations in the external relationship. However, the representative is not responsible for compliance with data protection regulations, nor is he liable for the processing procedures in the commissioning company. In most cases, he will transmit the requests from the EU to the data protection officer in the third country and return the answers to the requester. If necessary, he must also provide translation services in between so that the two parties to the request understand each other. The tasks of the data protection officer are much more extensive in comparison.

    What personal requirements should a representative fulfil under Article 27 GDPR?

    The GDPR does not define any direct requirements. However, since the representative must be able to speak to the supervisory authorities, you should look for expertise in data protection law, reliability and suitable multilingualism. In addition, the representative should have knowledge of the company, its data processing operations and data flows, as well as experience in dealing and cooperating with authorities. Appointing an unsuitable or non-existent person as a representative under Article 27 GDPR or not having a registered office in the specified country is, by the way, equivalent to not appointing such a representative - and can lead to heavy fines.

    How many Article 27 representatives do I need to appoint?

    Only one EU-wide representative is required. Due to the different languages and cultural differences in the individual EU states, it might make sense to appoint several representatives.

    How and to whom do I announce the appointment of a representative?

    The EU representative must be appointed in writing by the controller or processor. Pursuant to Articles 13 and 14 of the GDPR, data subjects must be informed of the existence of an EU representative, therefore the indication of the EU representative must be included in any privacy statement. In addition, the contact person should be listed in the register of processing activities pursuant to Article 30 of the GDPR.

    What happens if I do not appoint a representative under Article 27 GDPR?

    The supervisory authorities can enforce the appointment of an EU representative and, if necessary, impose a fine. As with all violations of the GDPR, this can be very high and, according to Article 83 of the GDPR, can amount to up to 10 million euros or up to 2% of the total annual turnover achieved worldwide in the previous business year. It is also possible that proceedings for unfair competition may be instituted.

    For small & medium enterprises, B2B

    145€ /Month

    • We provide your DPO
    • Initial analysis (document analysis)
    • Digital privacy manual (web-based platform)
    • Onboarding, coaching & progress review included.
    • Employee training (eLearning up to 25 employees)
    • Cookie banner (check & consulting), subsequent monitoring / reporting
    • Privacy policy for websites (1x CLOUD DSE), incl. protection against warning costs
    • Communication via TEAMS, phone & e-mail
    • Project management via service desk & ticket system
    • Support Hotline (IT, Legal, Web)
    • No travel expenses, flexible scheduling
    • Update Service & Newsletter
    • Personal contact

    Perfect for e-commerce, logistics, IT & B2C

    245€ /Month

    • We provide your DPO, incl. subsidiaries
    • Inventory (audit & document analysis)
    • Digital data protection manual (web-based platform) with 3 access points
    • Onboarding, coaching & progress review included.
    • Employee training (eLearning up to 75 employees)
    • Cookie banner (check & consulting), subsequent monitoring / reporting
    • Privacy policy for websites (3x CLOUD DSE), incl. warning cost protection
    • Social Media Privacy Policy (e.g. Xing, FB, IG)
    • Communication via TEAMS, phone & e-mail
    • Project management via service desk & ticket system
    • Instant support (IT, Legal, Web)
    • Controlling: We keep an eye on your projects
    • No travel expenses, flexible scheduling
    • Update Service & Newsletter
    • Data protection seal
    • Personal contact

    Perfect for companies with more complex requirements & B2C

    Upon request

    • We provide your DPO, incl. subsidiaries, groups etc.
    • Inventory (audit & document analysis)
    • Digital data protection manual (web-based platform) with any number of accesses
    • Employee training (onsite, individual webinars, eLearning).
    • Cookie Banner (implementation, configuration), subsequent monitoring / reporting
    • Privacy policy website (CLOUD DSE), incl. protection against warning costs
    • Social Media Privacy Policy (e.g. Xing, FB, IG)
    • Communication via TEAMS, phone & e-mail
    • Project management via service desk & ticket system
    • Instant support (IT, Recht, Web)
    • Onboarding, coaching & progress review including communication.
    • Data protection seal
    • Update service & newsletter (company-specific)
    • Personal contact & project manager
    • Individual package: scope according to contract

    Do you still have questions about the topic or about data protection in general?

    We are happy to help you:

    joerg-ter-beek-datenschutzexperte-mitauszeichnung-in-berlin

    Your data protection officer

    Jörg ter Beek
    Data protection expert