Companies based outside the European Union that process personal data of EU citizens are, under certain conditions, obliged to appoint a GDPR Representative within the EU. This obligation serves to ensure compliance with EU data protection regulations and to guarantee efficient communication with supervisory authorities and data subjects.
When is a GDPR Representative Required?
The appointment of a representative is mandatory if one of the following conditions is met:
Offering goods or services to individuals in the EU
Irrespective of whether payment is required, this obligation applies if a company actively targets the EU market. This can be evidenced, for example, by a website in an EU language or prices in Euros.
Example: A US software company sells licenses to customers in Germany and provides its website in German. In this case, a GDPR Representative is required.
Monitoring the behavior of individuals in the EU
Companies that analyze the behavior of EU citizens, for example, through tracking technologies or personalized advertising, also need a GDPR Representative.
Example: A Canadian company uses web tracking technologies to evaluate the surfing behavior of users in the EU and to display targeted advertising. Due to this behavioral analysis, there is an obligation to appoint a representative.
Extensive processing of special categories of personal data
If sensitive data such as health data, ethnic origin, or political opinions of EU citizens are extensively processed, a GDPR Representative is required.
Example: An Australian company operates a health app that stores and analyzes sensitive health data of users from the EU. Since this involves extensive processing of special categories of data, a GDPR Representative must be appointed.
When is a GDPR Representative Not Required?
There are exceptions where a company does not have to appoint a GDPR Representative, even if it has customers in the EU:
Purely passive sales activities
If a company does not actively target the EU market but merely accepts orders from EU customers without actively approaching this market, there is no obligation to appoint a GDPR Representative.
Example: A Swiss online shop sells products worldwide without actively advertising to the EU market or operating its website in EU languages. EU customers can place orders, but the company does not explicitly target them. In this case, a GDPR Representative is not required.
Only occasional processing of personal data
If personal data of EU citizens is processed only occasionally and the risk to the data subjects is low, the obligation to appoint a representative does not apply.
Example: A British company sporadically sells some products to EU customers, but these are only a few transactions per year that do not aim at systematic market development in the EU. In this case, a representative is not required.
Data processing by public authorities
Public institutions outside the EU are exempt from the obligation to appoint a GDPR Representative.
Example: A governmental educational institution in Canada processes personal data of EU citizens within the framework of an exchange program. Since it is a public institution, there is no obligation to appoint a representative.
Tasks of the GDPR Representative
The representative in the EU serves as a central point of contact for:
Supervisory Authorities: They answer inquiries and cooperate with data protection authorities in the EU.
Data Subjects: They enable the exercise of data subject rights according to the GDPR and establish a direct contact option.
What the GDPR Representative Does Not Undertake
There are clear boundaries regarding which tasks do not fall within the scope of the GDPR Representative:
No legal responsibility for data processing: The GDPR Representative bears no personal liability for violations of the GDPR by the company. Responsibility remains entirely with the controller or processor.
No internal data protection consulting: The GDPR Representative does not act as a data protection officer and does not advise the company internally on data protection issues or the implementation of technical and organizational measures.
No control over GDPR compliance: The representative does not monitor whether the company complies with the GDPR – their role is purely communicative.
No representation in administrative proceedings: The GDPR Representative serves as a contact point but is not obliged to represent the company in legal proceedings before supervisory authorities or courts.
Legal Basis
And now, the legal framework for the EU GDPR Representative, Article 27 of the General Data Protection Regulation, and the associated recitals from the legislator:
Article 27
Representatives of controllers or processors not established in the Union
- Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
- The obligation laid down in paragraph 1 of this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.
- The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
- The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
- The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
The corresponding Recital 80 of the General Data Protection Regulation on the designation of a representative states:
Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body.
The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority.
The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation.
The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation.
Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.
The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.