The GDPR has a very broad scope of application; companies doing business within the EU will often be subject to the GDPR, even if they have no establishments in the EU. The GDPR applies already when a NON-EU COMPANY offers goods or services to individuals in the EU or monitors their behaviour (Art. 3 sec. 2 GDPR).
Who has to appoint a representative under the GDPR?
will need to appoint an EU REPRESENTATIVE (Art. 27 GDPR), regardless of whether the companies are considered controllers or processors under the GDPR.
The threshold is very low: offering services to the EU via a website directed to EU users (e.g. because goods/ services are delivered to the EU, EU currency is accepted or EU languages are used) will trigger the requirement to appoint an EU REPRESENTATIVE. Same applies to any user tracking of EU residents, e.g. via cookies.
The EU REPRESENTATIVE shall act as local contact point for EU individuals and EU data protection supervisory authorities, and represent the non-EU company with regard to their respective obligations under the GDPR (Art. 4 No. 17 GDPR).
The following requirements have to be met:
If a non-EU company needs to appoint an EU representative but fails to do so, this may lead to fines of up to EUR 10,000,000.00 or 2% of non-EU company’s annual group turnover, whatever is higher.
The obligation of appointing an EU REPRESENTATIVE does not apply to cases where the legislator anticipates a small risk from a privacy perspective. This is the case if processing only takes place occasionally, no sensitive personal data is involved, and the processing is unlikely to result in a risk to the rights and freedoms of individuals. All these conditions have to be met cumulatively; therefore it is highly unlikely that a non-EU company falling into the territorial scope of the GDPR can benefit from that exception.
Non EU companies can generally not take advantage of the “one stop shop” principle of the GDPR, which says that only one “lead authority” is responsible for all regulatory matters of a company throughout the EU. Consequently, whenever the GDPR requires contacting data protection authorities, without the one stop shop rule regulators in potentially all EU member states have to be contacted - in local language! One important practical example where notification of data protection authorities is required are data breaches, which have to be reported to the competent regulator within 72 hours.
However, good news for companies who appointed an EU representative: the EU supervisory authorities regard the notification of a single data protection authority at the place of residence of the EU representative as sufficient.
This facilitates the process of data breach notification significantly, in particular if individuals from various EU countries are affected.
Similar privileges exist with regard to the new “standard contractual clauses”, a measure to justify data transfers from the EU to non-EU countries: When concluding these standard contractual clauses, data importers outside the EU may have to subject themselves to the authority of all EU supervisory authorities in the EU countries where data subjects whose data is transferred are located. If an EU representative is appointed, only the authority at the place of residence of the EU representative is responsible.
GDPR does no longer apply directly in the UK, but is implemented via the “UK GDPR”. The requirements of the GDPR are introduced “copy and paste” into UK law, including the requirement to appoint a representative. This means that companies doing cross-border business with the UK may need to appoint a separate UK Representative if they do not have an establishment in the UK. The requirements for appointing a UK rep and the corresponding fines for not doing so are the same as under the GDPR. In particular, if they do not have an establishment “on the ground”,