17 juin 2024
The General Data Protection Regulation regulates in particular the processing of personal data.
Article 27 (1) GDPR states that a "representative in the (European) Union" needs to be appointed if personal data of data subjects who are in the Union is processed by a company not established in the EU, where the data processing activities are related to:
There are very limited exceptions to such obligation.
A natural or legal person may be designated. The representative must be established in one of the EU Member states where the data subjects whose personal data is processed are located. The representative's task is to serve as a point of contact for or in place of the represented company (in particular) for supervisory authorities and data subjects for questions relating to the data processing.
The representative cannot be sanctioned for violations of the GDPR by the represented company. GDPR fines can however potentially be levied for a breach of the representative’s own duties.
Similar requirements apply to companies not established in the UK. More information can be found here.
The NIS 2-Directive pursues the goal of ensuring a high level of cybersecurity in the European Union. It enters into force in October 2024. Regulations on the appointment of a "representative (in the Union)" can be found in Article 26 (3) and (4) of the Directive. According to this
who do not have an establishment in the European Union but offer their services within the European Union must appoint a representative in the European Union. According to Recital 116, the representative shall act on behalf of the entity and it shall be possible for competent authorities and CSIRTs to address the representative. In addition, the representative shall be expressly instructed in writing by the represented entity to act on the entity's behalf within the scope of the entity's obligations arising from the draft law, which shall in particular include the reporting of security incidents.
The NIS2 Directive does not include any provisions on the liability of the representative. Rather, it is only clarified that the designation of the representative is without prejudice to legal actions that may be initiated against the represented entity itself. In addition, the Directive explicitly regulates that in the absence of a designation of a representative, any EU Member state in which the entity provides services may take legal action against the entity for non-compliance with the Directive.
The Regulation on preventing the dissemination of terrorist content online aims to curb the spread of terrorist content and thus strengthen the public security of the European Union. To this end, it primarily sets out a series of obligations for hosting service providers. It applies to all hosting service providers that offer services in the European Union and disseminate information publicly, regardless of where they are headquartered.
For hosting service providers that do not have their main establishment in the European Union, Article 17 of the Regulation provides rules on the "legal representative". Accordingly, such a provider shall designate, in writing, a legal representative in the European Union for the receipt, compliance and enforcement of removal orders and decisions relating to terrorist content issued by the competent authorities. The representative may be either a natural person or a legal entity and has to be provided with the necessary powers and resources to comply with the decisions and removal orders of the authorities and to cooperate with them. The competent authority in the EU Member state where the legal representative is resident or established shall be informed of the designation.
The legal representative can be held liable for violations arising from the regulation. However, this does not affect the liability of the hosting service providers.
Digital Services Act
The Digital Services Act is a regulation that aims at ensuring a safe digital space free of illegal content and the protection of users' fundamental rights. To this end, it lays down comprehensive regulations for dealing with illegal content, liability and the regulation of (online) intermediaries. On July 5, 2022, the European Parliament approved the Digital Services Act. Now only the Council of the European Union has to formally approve it. After a short transition period the DSA will probably come into force in fall of this year.
Article 11 contains provisions concerning a "legal representative", which stipulates that providers of intermediary services (the scope includes certain mere conduit, caching and hosting services) who do not have an establishment in the European Union but offer their services in the European Union must appoint a legal representative. Here, too, the designation must be made in writing. A legal entity or a natural person can be appointed. The legal representative shall be "mandated" by the intermediary service providers in such a way that it may be called upon, in addition to or instead of the service provider, by the EU Member state authorities, the Commission and the European Board for Digital Services (an independent advisory group of Digital Services Coordinators on the supervision of providers of intermediary services) in all matters necessary for the receipt, compliance and enforcement of decisions related to the Regulation. It shall be provided with the necessary powers and resources to cooperate with the authorities of the EU Member states, the Commission and the Board. The intermediary service provider shall notify the Digital Services Coordinator (a designated authority responsible for all matters relating to the supervision and enforcement of the regulation) in the EU Member state where the legal representative is established of the name, address, e-mail address and telephone number of the legal representative and shall ensure that the information is kept up to date.
The legal representative may also be held liable for breaches of (the intermediary service providers) obligations under the Regulation, without this affecting the liability of intermediary service providers.
The Data Governance Act attempts to promote the free availability and exchange of data. Both (so called) data intermediation services and data altruism organisations are required to appoint a representative. It was adopted on May 30, 2022 and is effective as of September 24, 2023.
The Data Governance Act does not regulate the liability of the representative. It is limited to stating that the designation of the representative is without prejudice to any legal action that may be taken against the data intermediary service provider. However, Article 14 (5) regulates that if the legal representative fails to provide the required information to the competent authority upon request, the authority has the power to postpone the start of the provision of the data brokering service or suspend it until the required information has been provided.
Article 11 (3) states that a data intermediation services provider that is not established in the European Union, but which offers the data intermediation services as
within the European Union, shall designate a “legal representative” in one of the EU Member states in which those services are offered. It is intended to act as a point of contact alongside or in place of the data intermediation service for the competent authority or data subjects. It is also to serve as a point of contact for data holders on issues related to the data intermediation services provided. In addition, it shall cooperate with the competent authorities (for data intermediation) and provide them, upon request, with comprehensive information on the measures and precautions taken by the provider of the data brokering services to ensure compliance with the Regulation.
Qualified data altruism organisations (recognized in a public national register due to an application) which are not established in the European Union shall designate a “legal representative” in one of the EU Member states in which the data altruism services are offered, Article 19 (3). The legal representative shall be mandated by the entity to be addressed in addition to or instead of it by competent authorities for the registration of data altruism organisations or data subjects and data holders, with regard to all issues related to that entity. The legal representative shall also cooperate with and comprehensively demonstrate to the competent authorities for the registration of data altruism organisations, upon request, the actions taken and provisions put in place by the entity to ensure compliance with this Regulation.
The aim of the AI Act is to create a uniform legal framework for artificial intelligence.
Regulations concerning an "authorised representative" are found in Articles 22 and 54 of the AI Act. The Act states that providers of high-risk AI systems or of general purpose AI models established outside the European Union must appoint an authorized representative established in the European Union by written mandate before making their systems available on the European Union market. The AI Act also specifies a minimum scope of the representative's mandate, which must at least empower them to:
Representatives of general purpose AI model providers need to verify further compliance obligations of the model providers.
Liability of the representative is not provided for in the Regulation. However, the presentative shall terminate the mandate with the provider if it considers or has reason to consider the provider to be acting contrary to its obligations pursuant to the AI Act.
The e-Privacy Regulation draft (a detailed analysis can be found here), which is intended to replace the e-Privacy Directive, inter alia pursues the goal of establishing a legal framework for when the processing of electronic communications data may be carried out by the provider of the communications service and when it may have access to the data stored on users' devices. The e-Privacy Regulation is not expected to enter into force before 2025 – if at all. The transition period is expected to last until 2027 (24 months).
Regulations on the "representative (in the Union)” can be found in Article 3 of the draft. Such a representative must be appointed in writing within one month after commencement of the activity. Obligated to such a nomination are
who are not established in the European Union. Similar to the GDPR, limited exceptions apply. The representative must be located in an EU Member state in which the end users of the electronic communications services are also located. The draft describes the representative's task to be mostly in line with the GDPR. It is thus intended as a point of contact for competent authorities and end users for all matters relating to the processing of electronic communications data.
The draft e-Privacy Regulation also does not provide for any express liability of the representative. Paragraph 5 only clarifies that the designation is without prejudice to legal steps against the represented company.
The objective of the European Health Data Space Regulation is to strengthen the linkage of national health systems across the European Union through secure, efficient access to and exchange of health data. The Regulation is not in force, yet. The draft was introduced by the European Commission on 3 May 2022. A political agreement between the European Parliament and the Council was reached in Spring 2024.
Regulations on the "authorized representative" are found in Article 18, according to which a manufacturer of an EHR (electronic health record) system – an information system used in the health domain – established outside the European Union must designate a representative by written mandate before making an EHR system available on the European Union market. The manufacturer can specify in the mandate which tasks the representative shall perform. However, the regulation specifies certain minimum content of the mandate. It should allow the representative to do at least the following:
Liability of the representative is not provided for in the draft Regulation.
Both at European and EU member state level, there are further regulations on the obligation to appoint a representative.
For example, in the Regulation on Clinical Trials of Medicinal Products for Human Use, ((EU) No. 536/2014), there is a requirement to appoint a legal representative if the sponsor of a clinical trial is not established in the European Union, Article 74. This representative is responsible for ensuring that the sponsor's obligations under this Regulation are met and is the addressee of all notifications to the sponsor provided for in this Regulation. Any communication to that legal representative shall be deemed to be a communication to the sponsor.
The Regulation on Medical Devices, ((EU) 2017/745) contains regulations on an authorised representative in its Article 11. The designation shall constitute the authorised representative's mandate, it shall be valid only when accepted in writing by the representative and shall be effective at least for all devices of the same generic device group. The regulation also specifies a minimum content of the mandate.
At e.g. the German level, an appointment obligation can be found, for example, in Section 25b of the German Banking Act (KWG). According to this provision, when using outsourcing companies with a registered office in a third country, it must be contractually ensured that the outsourcing company appoints a domestic delivery agent to whom notifications and deliveries can be made by the competent federal institution.
Overall, it can be said that the European legislator more and more regards the representative as an important component of its regulations. Whereas initially there was hardly any provision for the representative's own liability, in more recent laws there is an increasing number of provisions which also stipulate the representative's liability. It is therefore to be expected that the EU legislator will provide for the liability of the representative in future legislation.
You need assistance in appointing a representative? Please reach out to us!
Co-Author: Hannes Bastians.
par plusieurs auteurs
Paul Voigt and Alexander Schmalenberger look at Germany's progress on NIS2 implementation.
par Dr. Paul Voigt, Lic. en Derecho, CIPP/E et Alexander Schmalenberger, LL.B.
Michael Tan, Julian Sun, Paul Voigt and Wiebke Reuter look at what China's new SCCs mean for businesses looking to export personal data from China to the EU.
par plusieurs auteurs