Representatives for third country companies
under Article 27 GDPR
Many companies based in the EU and subject to the strict data protection regulations of the GDPR wonder, which rules providers from third countries outside the European Union actually have to adhere to. The answer: They have to appoint an EU representative who has to organise information on the compliance with the GDPR regulations of the respective company!
That means: If personal data of individuals from the European Union is processed by a controller or processor not established in the Union and the data processing is related to
- offer goods or services, whether for consideration or not, to data subjects in the Union, or
- monitor the behaviour of data subjects (tracking, profiling) insofar as their behaviour takes place in the Union,
the controller or processor must designate in writing a representative in the European Union. Only public authorities, public bodies and the only occasional processing of non-personally traceable, less sensitive data pursuant to Articles 9 and 10 of the GDPR are exempt from this obligation; pure data transfers via European routers without knowledge or processing are also excluded. Every small online shop that collects address data already exceeds this limit! The representative is a natural or legal person (Art. 4 No. 17 DSGVO) and must be established in one of the EU states in which the persons affected by the processing or observation are also located.
The EU representative serves as a point of contact for data subjects as well as supervisory authorities on all issues arising in connection with data processing under the GDPR. In addition, he is the authorised representative for the receipt of legal documents and thus, as the representative of the principal, responsible for the organisation with regard to the legal obligations of the GDPR. This includes, among other things, the receipt and forwarding of data subject requests (e.g. for data access or deletion) or the provision of information or the provision of the list of processing activities and further information pursuant to Article 58(1)(a) GDPR to the supervisory authority. A certain expertise in the area of data protection and the GDPR is therefore definitely useful.
Legal responsibility remains with the principal of the representative, against whom any legal action will be taken directly.
Frequently asked questions about the EU representative
Any company that offers goods or services in the EU but is not established in the EU, i.e.
- does not have a branch or subsidiary in the EU,
- does not have an office and a production or sales site or other branch in a Member State of the EU, and
- has no other permanent facilities in the EU,
but wishes to offer or carry out data processing or monitoring in the EU must appoint a representative pursuant to Article 27 of the GDPR to whom the supervisory authorities and the data subjects can turn. This regulation is important for companies from the USA or Switzerland, for example. The use of EU-typical language on the website, the use of a country-specific domain extension such as .de or the acceptance of the euro as a means of payment already indicates an offer for which a representative must be appointed in accordance with Article 27 of the GDPR. The same applies to cookies, trackers and localisations in apps.
The GDPR provides for the so-called market place principle in Article 3(2) of the GDPR. If non-European organisations process personal data of European citizens, they fall within the scope of the GDPR and must provide a representative who can be reached within Europe in order to fulfil claims arising from the GDPR.
The representative's task is primarily that of a contact person. He therefore receives enquiries and documents for the third-country company and ensures that they are answered by his principal; he can thus also make legally effective declarations in the external relationship. However, the representative is not responsible for compliance with data protection regulations, nor is he liable for the processing procedures in the commissioning company. In most cases, he will transmit the requests from the EU to the data protection officer in the third country and return the answers to the requester. If necessary, he must also provide translation services in between so that the two parties to the request understand each other. The tasks of the data protection officer are much more extensive in comparison.
The GDPR does not define any direct requirements. However, since the representative must be able to speak to the supervisory authorities, you should look for expertise in data protection law, reliability and suitable multilingualism. In addition, the representative should have knowledge of the company, its data processing operations and data flows, as well as experience in dealing and cooperating with authorities. Appointing an unsuitable or non-existent person as a representative under Article 27 GDPR or not having a registered office in the specified country is, by the way, equivalent to not appointing such a representative - and can lead to heavy fines.
Only one EU-wide representative is required. Due to the different languages and cultural differences in the individual EU states, it might make sense to appoint several representatives.
The EU representative must be appointed in writing by the controller or processor. Pursuant to Articles 13 and 14 of the GDPR, data subjects must be informed of the existence of an EU representative, therefore the indication of the EU representative must be included in any privacy statement. In addition, the contact person should be listed in the register of processing activities pursuant to Article 30 of the GDPR.
The supervisory authorities can enforce the appointment of an EU representative and, if necessary, impose a fine. As with all violations of the GDPR, this can be very high and, according to Article 83 of the GDPR, can amount to up to 10 million euros or up to 2% of the total annual turnover achieved worldwide in the previous business year. It is also possible that proceedings for unfair competition may be instituted.
Do you still have questions about the topic or about data protection in general?
We are happy to help you:
Your data protection officer
Jörg ter Beek
Data protection expert