For companies without EU-Establishement
Extended scope of the GDPR
The GDPR has a very broad scope of application; companies doing business within the EU will often be subject to the GDPR, even if they have no establishments in the EU. The GDPR applies already when a NON-EU COMPANY offers goods or services to individuals in the EU or monitors their behaviour (Art. 3 sec. 2 GDPR).
Who has to appoint a representative under the GDPR?
All companies:
- without establishment in the EU
- offering goods or services (even if for free) to, or monitoring the behaviour of individuals in the EU
will need to appoint an EU REPRESENTATIVE (Art. 27 GDPR), regardless of whether the companies are considered controllers or processors under the GDPR.
The threshold is very low: offering services to the EU via a website directed to EU users (e.g. because goods/ services are delivered to the EU, EU currency is accepted or EU languages are used) will trigger the requirement to appoint an EU REPRESENTATIVE. Same applies to any user tracking of EU residents, e.g. via cookies.
Duties of the Representative
The EU REPRESENTATIVE shall act as local contact point for EU individuals and EU data protection supervisory authorities, and represent the non-EU company with regard to their respective obligations under the GDPR (Art. 4 No. 17 GDPR).
The following requirements have to be met:
- The EU representative needs to be designated in writing
- The EU representative shall act on behalf of the non-EU complany and therefore needs to have power of representation.
- The Representative needs to be established in one of the EU member states where the data subjects affected by the activity of the non-EU company are located. It is not necessary to appoint an EU representative for each EU member state.
Fines
If a non-EU company needs to appoint an EU representative but fails to do so, this may lead to fines of up to EUR 10,000,000.00 or 2% of non-EU company’s annual group turnover, whatever is higher.
Exemptions
The obligation of appointing an EU REPRESENTATIVE does not apply to cases where the legislator anticipates a small risk from a privacy perspective. This is the case if processing only takes place occasionally, no sensitive personal data is involved, and the processing is unlikely to result in a risk to the rights and freedoms of individuals. All these conditions have to be met cumulatively; therefore it is highly unlikely that a non-EU company falling into the territorial scope of the GDPR can benefit from that exception.
EU representative creates “one stop shop”
Non EU companies can generally not take advantage of the “one stop shop” principle of the GDPR, which says that only one “lead authority” is responsible for all regulatory matters of a company throughout the EU. Consequently, whenever the GDPR requires contacting data protection authorities, without the one stop shop rule regulators in potentially all EU member states have to be contacted - in local language! One important practical example where notification of data protection authorities is required are data breaches, which have to be reported to the competent regulator within 72 hours.
However, good news for companies who appointed an EU representative: the EU supervisory authorities regard the notification of a single data protection authority at the place of residence of the EU representative as sufficient.
This facilitates the process of data breach notification significantly, in particular if individuals from various EU countries are affected.
Similar privileges exist with regard to the new “standard contractual clauses”, a measure to justify data transfers from the EU to non-EU countries: When concluding these standard contractual clauses, data importers outside the EU may have to subject themselves to the authority of all EU supervisory authorities in the EU countries where data subjects whose data is transferred are located. If an EU representative is appointed, only the authority at the place of residence of the EU representative is responsible.
UK Representative required
GDPR does no longer apply directly in the UK, but is implemented via the “UK GDPR”. The requirements of the GDPR are introduced “copy and paste” into UK law, including the requirement to appoint a representative. This means that companies doing cross-border business with the UK may need to appoint a separate UK Representative if they do not have an establishment in the UK. The requirements for appointing a UK rep and the corresponding fines for not doing so are the same as under the GDPR. In particular, if they do not have an establishment “on the ground”,
- companies based in the EU collecting data in the UK may need to appoint a representative under the UK GDPR,
- companies based in the UK collecting data in the EU may need to appoint a representative under the EU GDPR,
- companies based in other countries collecting data in the UK and the EU may need to appoint both an EU and a UK representative.
Download the paper
