The General Data Protection Regulation regulates in particular the processing of personal data.
Article 27 (1) GDPR states that a "representative in the (European) Union" needs to be appointed if personal data of data subjects who are in the Union is processed by a company not established in the EU, where the data processing activities are related to:
There are very limited exceptions to such obligation.
A natural or legal person may be designated. The representative must be established in one of the EU Member states where the data subjects whose personal data are processed are located. The representative's task is to additionally serve as a point of contact for or in place of the represented company (in particular) for supervisory authorities and data subjects for questions relating to the data processing.
The representative can likely not be sanctioned for violations of the GDPR by the represented company. In dispute, however, is whether GDPR fines can be levied for a breach of its own duties.
The NIS Directive aimed to harmonize cybersecurity requirements across the European Union and increase the cybersecurity capabilities of EU Member states.
The requirement to designate a "representative (in the Union)" stems from Article 18 (2) of the Regulation. According to this digital service providers not established in the European Union, but offering
have to appoint a representative, if they offer services in the European Union. The representative shall be established in one of those EU Member states where the services are offered. Also, the digital service provider shall be deemed to be under the jurisdiction of the EU Member state where the representative is established. The Directive itself describes what it means by a representative in Article 4 No. 10. According to that provision, a representative is any natural or legal person established in the European Union who is expressly designated to act on behalf of a digital service provider not established in the European Union and who may be addressed by a competent national authority or a CSIRT (computer security incident response team - responsible for risk and incident handling) in place of the digital service provider with regard to that digital service provider's obligations under the NIS Directive. The representative should be designated by a written mandate from the digital service provider to act on its behalf in relation to its obligations under this Directive, including incident reporting.
The NIS Directive does not contain any provisions on the liability of the representative. It only clarifies that the appointment of a representative by the digital service provider should be without prejudice to any legal action that might be taken against the digital service provider itself.
The NIS 2-Directive draft serves to adapt the NIS Directive to the digital transformation and the accompanying greater threat level in the area of cyber security. It pursues the goal of ensuring a high level of cybersecurity in the European Union. It is not yet in effect. Nevertheless, on May 13 2022 the Council and the European Parliament have reached a provisional agreement. The provisional agreement is now subject to approval by the Council and the European Parliament.
Regulations on the appointment of a "representative (in the Union)" can be found in Article 24 (3) and (4) of the draft. According to this
who do not have an establishment in the European Union but offer their services within the European Union must appoint a representative in the European Union. According to Recital 65, the representative shall act on behalf of the entity and it shall be possible for competent authorities and CSIRTs to contact the representative. In addition, the representative shall be expressly instructed in writing by the represented entity to act on the entity's behalf within the scope of the entity's obligations arising from the draft law, which shall in particular include the reporting of security incidents.
The NIS2 Directive draft also does not include any provisions on the liability of the representative. Rather, it is only clarified that the designation of the representative is without prejudice to legal actions that may be initiated against the represented entity itself. In addition, the draft explicitly regulates that in the absence of (but necessary) designation of a representative, any EU Member state in which the entity provides services may take legal action against the entity for such non-compliance.
The Regulation on preventing the dissemination of terrorist content online aims to curb the spread of terrorist content and thus strengthen the public security of the European Union. To this end, it primarily sets out a series of obligations for hosting service providers. It applies to all hosting service providers that offer services in the European Union and disseminate information publicly, regardless of where they are headquartered.
For hosting service providers that do not have their main establishment in the European Union, Article 17 of the Regulation provides rules on the "legal representative". Accordingly, such a provider shall designate, in writing, a legal representative in the European Union for the receipt, compliance and enforcement of removal orders and decisions relating to terrorist content issued by the competent authorities. The representative may be either a natural person or a legal entity and has to be provided with the necessary powers and resources to comply with the decisions and removal orders of the authorities and to cooperate with them. The competent authority in the EU Member state where the legal representative is resident or established shall be informed of the designation.
The legal representative can be held liable for violations arising from the regulation. However, this does not affect the liability of the hosting service providers.
The Digital Services Act is a regulation that aims at ensuring a safe digital space free of illegal content and the protection of users' fundamental rights. To this end, it lays down comprehensive regulations for dealing with illegal content, liability and the regulation of (online) intermediaries. On July 5, 2022, the European Parliament approved the Digital Services Act. Now only the Council of the European Union has to formally approve it. After a short transition period the DSA will probably come into force in fall of this year.
Article 11 contains provisions concerning a "legal representative", which stipulates that providers of intermediary services (the scope includes certain mere conduit, caching and hosting services) who do not have an establishment in the European Union but offer their services in the European Union must appoint a legal representative. Here, too, the designation must be made in writing. A legal entity or a natural person can be appointed. The legal representative shall be "mandated" by the intermediary service providers in such a way that it may be called upon, in addition to or instead of the service provider, by the EU Member state authorities, the Commission and the European Board for Digital Services (an independent advisory group of Digital Services Coordinators on the supervision of providers of intermediary services) in all matters necessary for the receipt, compliance and enforcement of decisions related to the Regulation. It shall be provided with the necessary powers and resources to cooperate with the authorities of the EU Member states, the Commission and the Board. The intermediary service provider shall notify the Digital Services Coordinator (a designated authority responsible for all matters relating to the supervision and enforcement of the regulation) in the EU Member state where the legal representative is established of the name, address, e-mail address and telephone number of the legal representative and shall ensure that the information is kept up to date.
The legal representative may also be held liable for breaches of (the intermediary service providers) obligations under the Regulation, without this affecting the liability of intermediary service providers.
The Data Governance Act attempts to promote the free availability and exchange of data. Both (so called) data intermediation services and data altruism organisations are required to appoint a representative. It was adopted on May 30, 2022 and is effective as of September 24, 2023.
The Data Governance Act does not regulate the liability of the representative. It is limited to stating that the designation of the representative is without prejudice to any legal action that may be taken against the data intermediary service provider. However, Article 14 (5) regulates that if the legal representative fails to provide the required information to the competent authority upon request, the authority has the power to postpone the start of the provision of the data brokering service or suspend it until the required information has been provided.
Article 11 (3) states that a data intermediation services provider that is not established in the European Union, but which offers the data intermediation services as
within the European Union, shall designate a “legal representative” in one of the EU Member states in which those services are offered. It is intended to act as a point of contact alongside or in place of the data intermediation service for the competent authority or data subjects. It is also to serve as a point of contact for data holders on issues related to the data intermediation services provided. In addition, it shall cooperate with the competent authorities (for data intermediation) and provide them, upon request, with comprehensive information on the measures and precautions taken by the provider of the data brokering services to ensure compliance with the Regulation.
Qualified data altruism organisations (recognized in a public national register due to an application) which are not established in the European Union shall designate a “legal representative” in one of the EU Member states in which the data altruism services are offered, Article 19 (3). The legal representative shall be mandated by the entity to be addressed in addition to or instead of it by competent authorities for the registration of data altruism organisations or data subjects and data holders, with regard to all issues related to that entity. The legal representative shall also cooperate with and comprehensively demonstrate to the competent authorities for the registration of data altruism organisations, upon request, the actions taken and provisions put in place by the entity to ensure compliance with this Regulation.
The aim of the AI Act is to create a uniform legal framework for artificial intelligence. Negotiations between the EU institutions (trilogue) are expected to start at the end of the year and to be completed in 2023.
Regulations concerning an "authorised representative" are found in Article 25 of the draft Regulation. The draft regulation states that providers (a natural or legal person, public authority, agency or other body that develops an AI system or that has an AI system developed with a view to placing it on the market or putting it into service under its own name or trademark) established outside the European Union must appoint an authorized representative established in the European Union by written mandate before making their systems available on the European Union market if no importer can be identified. The AI Act also specifies a minimum scope of the representative's mandate, which must at least empower him to:
Liability of the representative is not provided for in the Regulation.
The e-Privacy Regulation draft, which is intended to replace the e-Privacy Directive, inter alia pursues the goal of establishing a legal framework for when the processing of electronic communications data may be carried out by the provider of the communications service and when it may have access to the data stored on users' devices. The e-Privacy Regulation is not expected to enter into force before 2023. The transition period is expected to last until 2025 (24 months).
Regulations on the "representative (in the Union)” can be found in Article 3 of the draft. Such a representative must be appointed in writing within one month after commencement of the activity. Obligated to such a nomination are
who are not established in the European Union. Similar to the GDPR, limited exceptions apply. The representative must be located in an EU Member state in which the end users of the electronic communications services are also located. The draft describes the representative's task to be mostly in line with the GDPR. It is thus intended as a point of contact for competent authorities and end users for all matters relating to the processing of electronic communications data.
The draft e-Privacy Regulation also does not provide for any express liability of the representative. Paragraph 5 only clarifies that the designation is without prejudice to legal steps against the represented company.
The objective of the European Health Data Space Regulation is to strengthen the linkage of national health systems across the European Union through secure, efficient access to and exchange of health data. The Regulation is not in force, yet. The draft was introduced by the European Commission on 3 May 2022.
Regulations on the "authorized representative" are found in Article 18, according to which a manufacturer of an EHR (electronic health record) system – an information system used in the health domain – established outside the European Union must designate a representative by written mandate before making an EHR system available on the European Union market. The manufacturer can specify in the mandate which tasks the representative shall perform. However, the regulation specifies certain minimum content of the mandate. It should allow the representative to do at least the following:
Liability of the representative is not provided for in the Regulation.
Both at European and EU member state level, there are further regulations on the obligation to appoint a representative.
For example, in the Regulation on Clinical Trials of Medicinal Products for Human Use, ((EU) No. 536/2014), there is a requirement to appoint a legal representative if the sponsor of a clinical trial is not established in the European Union, Article 74. This representative is responsible for ensuring that the sponsor's obligations under this Regulation are met and is the addressee of all notifications to the sponsor provided for in this Regulation. Any communication to that legal representative shall be deemed to be a communication to the sponsor.
The Regulation on Medical Devices, ((EU) 2017/745) contains regulations on an authorised representative in its Article 11. The designation shall constitute the authorised representative's mandate, it shall be valid only when accepted in writing by the representative and shall be effective at least for all devices of the same generic device group. The regulation also specifies a minimum content of the mandate.
At e.g. the German level, an appointment obligation can be found, for example, in Section 25b of the German Banking Act (KWG). According to this provision, when using outsourcing companies with a registered office in a third country, it must be contractually ensured that the outsourcing company appoints a domestic delivery agent to whom notifications and deliveries can be made by the competent federal institution.
Overall, it can be said that the European legislator more and more regards the representative as an important component of its regulations. Whereas initially there was hardly any provision for the representative's own liability, in more recent legal acts there is an increasing number of provisions which also stipulate the representative's liability. It is therefore to be expected that the EU legislator will also provide for the liability of the representative in future legislations.
You need assistance in appointing a representative? Please reach out to us!
Co-Author: Hannes Bastians.