GDPR obligations

What else does your company need to do – beyond appointing an EU representative?

1. Update your privacy policy (Arts. 13 and 14 GDPR)

Once you have appointed an EU representative, their contact details must appear in your privacy policy. This follows directly from Art. 13(1)(a) and Art. 14(1)(a) GDPR: data subjects have the right to know who is available as a point of contact within the EU – and this must be clearly documented.

At a minimum, the following information must be included: the EU representative’s full name and address, their email address, and a statement that they have been appointed pursuant to Art. 27 GDPR and act as a contact point for supervisory authorities and data subjects.

Example: A Canadian SaaS company offering project management software to customers in Germany and Austria must, following the appointment of Kanzlei Matutis as its EU representative, add a dedicated section to its privacy policy – including the firm’s name, address, and email address, together with a clear reference to the representative’s role under Art. 27 GDPR.

In practice, that section might read as follows:

As our company has no establishment within the European Union, we have appointed a representative in the EU pursuant to Art. 27 GDPR. The representative serves as a point of contact for supervisory authorities and data subjects within the EU:

Rechtsanwalt Cornelius Matutis Berliner Straße 57 D-14467 Potsdam Germany Email: mail@matutis.de

The EU representative is authorised to receive enquiries from supervisory authorities and data subjects and to forward them to us. The representative acts on behalf of our company and does not replace it as the data controller. Enquiries may be directed either to us directly or to our EU representative.

2. Establish and maintain a record of processing activities (Art. 30 GDPR)

Any organisation that processes personal data of individuals in the EU is required under Art. 30 GDPR to maintain a record of processing activities (RoPA). This record documents internally which data are processed, for what purpose, on what legal basis, and for how long. The RoPA is not a bureaucratic formality: it is the central accountability instrument – and must be made available to a supervisory authority upon request (Art. 30(4) GDPR).

For controllers, the RoPA must contain at least the following information pursuant to Art. 30(1) GDPR:

  • Name and contact details of the controller and its EU representative
  • Purposes of each processing activity
  • Categories of data subjects and of the personal data processed
  • Categories of recipients
  • Where applicable, transfers to third countries and the safeguards in place
  • Where possible, envisaged retention periods and technical and organisational security measures

In practice, this means: when a data protection authority requests the RoPA, it will approach your EU representative. We therefore strongly recommend that you send us an up-to-date version of your RoPA following our appointment, and keep us informed of any changes.

Art. 30(5) GDPR provides an exemption for organisations with fewer than 250 employees – but only under very narrow conditions. It does not apply where the processing is likely to result in a risk to the rights and freedoms of data subjects, is not occasional, or involves special categories of data under Art. 9 GDPR. For companies that require an EU representative, this exemption will generally not be available. If in doubt, assume that you are required to maintain a RoPA.

Example: A US company operating an e-commerce platform has its customer data processed by an external payment service provider. It must document this processing activity in full in its RoPA – including the contact details of our firm as EU representative. If the German data protection authority requests the RoPA, the company is obliged to produce it.

3. Establish a legal basis for every processing activity (Arts. 6 and 9 GDPR)

The GDPR prohibits the processing of personal data as a default – unless a lawful basis exists. For each processing activity, you must identify and document which of the grounds exhaustively listed in Art. 6(1) GDPR applies:

  • Consent (Art. 6(1)(a) GDPR) – freely given, informed, unambiguous, specific in purpose, and revocable at any time
  • Performance of a contract (Art. 6(1)(b) GDPR)
  • Legal obligation (Art. 6(1)(c) GDPR)
  • Vital interests (Art. 6(1)(d) GDPR)
  • Public interest (Art. 6(1)(e) GDPR)
  • Legitimate interests (Art. 6(1)(f) GDPR) – subject to a balancing test against the interests of the data subject

If you process special categories of personal data – health data, biometric data, data relating to ethnic origin, religious belief, or sexual orientation – Art. 6 GDPR alone is not sufficient. You must additionally satisfy one of the conditions exhaustively set out in Art. 9(2) GDPR, such as the data subject’s explicit consent under Art. 9(2)(a) GDPR.

Example: An Australian company offers a fitness app that stores heart rate and sleep data of its EU users. Since this constitutes health data under Art. 9(1) GDPR, the company requires not only a lawful basis under Art. 6 GDPR, but also explicit consent under Art. 9(2)(a) GDPR – and must document this carefully.

4. Uphold the rights of data subjects (Arts. 15–22 GDPR)

Individuals in the EU have extensive rights with respect to their personal data. As a controller, you must not only be aware of these rights – you must have the processes in place to give effect to them in practice:

  • Right of access (Art. 15 GDPR): What data do you process, for what purpose, and for how long?
  • Right to rectification (Art. 16 GDPR): Inaccurate data must be corrected without undue delay upon request.
  • Right to erasure (Art. 17 GDPR): Applies when the purpose has lapsed or consent has been withdrawn.
  • Right to restriction of processing (Art. 18 GDPR): Data may be stored but not further processed.
  • Right to data portability (Art. 20 GDPR): Data must be provided in a machine-readable format.
  • Right to object (Art. 21 GDPR): In particular where processing is based on legitimate interests.
  • Protection against automated decision-making (Art. 22 GDPR): Special safeguards apply where decisions are made solely by automated means and produce significant effects.

Requests from data subjects must be responded to within one month (Art. 12(3) GDPR). That may sound manageable – but it is not, if it is not internally clear who is responsible and how the necessary data can be compiled in time. Put internal processes in place before the first request arrives.

One important distinction: if a data subject addresses their request to us as your EU representative, we will forward it to you without delay. Handling the substance of the request is your responsibility – unless we have separately agreed to do so on your behalf in a specific case.

5. Implement technical and organisational measures (Art. 32 GDPR)

Art. 32 GDPR requires you to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by your processing activities. What is specifically required depends on the nature and scope of your processing – there is no rigid checklist. Typical measures include:

  • Encryption of personal data (in transit and at rest)
  • Pseudonymisation where feasible and appropriate
  • Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Access controls ensuring that only authorised individuals can access personal data
  • Procedures for regularly testing and evaluating the effectiveness of measures
  • Protocols for handling data breaches

Example: A Swiss company operates a platform through which customers in Germany upload personal documents. It must ensure that these documents are stored in encrypted form, that only authorised employees have access, and that the data can be restored in the event of a system failure.

6. Report data breaches (Arts. 33 and 34 GDPR)

If a personal data breach occurs within your organisation – whether through unauthorised access, loss of data, or inadvertent disclosure – strict notification obligations apply.

Under Art. 33 GDPR, you must notify the competent supervisory authority without undue delay, and where feasible no later than 72 hours after becoming aware of the breach – unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects. The notification must describe the nature and extent of the breach, identify likely consequences, and set out the measures taken or proposed.

If the breach is likely to result in a high risk to data subjects, you are additionally required under Art. 34 GDPR to notify the affected individuals directly – without undue delay and in clear, plain language.

Since your EU representative is based in Germany, the state-level data protection authority with jurisdiction over our firm’s registered office will generally be the primary supervisory authority. Where individuals in multiple EU Member States are affected, other national supervisory authorities may also have jurisdiction.

In practice, this means: please inform us of any data breach as early as possible. The 72-hour window passes quickly. We can assist you with coordination with the supervisory authority – though this activity falls outside the flat-rate annual fee for the representative service and requires a separate arrangement.

7. Transfers of personal data to third countries – what actually applies to your company? (Arts. 44–49 GDPR)

A clarification is needed here that is regularly overlooked in practice.

The fact that you, as a non-EU company, process personal data of EU residents and are therefore subject to the GDPR by virtue of Art. 3(2) GDPR does not, in itself, constitute a “transfer” within the meaning of Arts. 44 et seq. GDPR. Under the wording of the Regulation and the EDPB’s Guidelines 05/2021, such a transfer presupposes that a controller or processor subject to the GDPR – the so-called exporter – discloses personal data to a recipient in a third country. If an EU customer enters their data directly on your platform and you process it within your own systems, there is simply no exporter in that sense. Standard Contractual Clauses concluded with your customers are neither foreseen nor appropriate in this configuration – the correct instrument for this purpose is the privacy policy under Art. 13 GDPR.

When do Arts. 44 et seq. GDPR nevertheless become relevant for your company?

There are two scenarios that arise very frequently in practice.

First scenario: You use EU-based service providers.

If you have personal data of EU customers stored by a hosting provider based in the EU, use an EU-based email or analytics service, or otherwise engage EU processors, each of those service providers is itself a GDPR-bound exporter. As soon as it transfers or makes data accessible to you in the course of its service, a third-country transfer within the meaning of Arts. 44 et seq. GDPR has occurred. You need appropriate safeguards for those data flows – typically the EU Standard Contractual Clauses, which you conclude not with your customers, but with those EU-based service providers.

Second scenario: You disclose EU customer data to further recipients outside the EU.

If you pass personal data of your EU customers on to subcontractors, analytics platforms, distribution partners, or other third parties outside the EU, that too constitutes a transfer within the meaning of Arts. 44 et seq. GDPR. Here again, appropriate safeguards are required.

In both cases, the same instruments are available:

  • Adequacy decision (Art. 45 GDPR): Where the EU Commission has determined that an adequate level of protection exists in the country where your EU service provider or the third-party recipient is located – Switzerland benefits from such a decision; for certified US companies, the EU–U.S. Data Privacy Framework has applied since July 2023.
  • Standard Contractual Clauses (Art. 46(2)(c) GDPR): The clauses adopted by the EU Commission in 2021 are concluded between the EU processor as exporter and you as importer – or between you and further third-country recipients to whom you pass EU data.
  • Binding Corporate Rules (Art. 47 GDPR): Possible for intra-group transfers, but subject to approval and complex to implement.
  • Derogations (Art. 49 GDPR): Permissible in narrowly defined individual cases – such as explicit consent – but not suitable as a permanent solution.

Example: A US company operates its online shop via a German hosting provider acting as a processor. As soon as that provider transfers EU customer data back to the US company in the course of its services, a third-country transfer has occurred. The US company must not only conclude a Data Processing Agreement with the German hosting provider under Art. 28 GDPR, but must also put Standard Contractual Clauses in place – not with its customers, but with the service provider.

8. Conclude data processing agreements (Art. 28 GDPR)

Where you engage service providers who process personal data on your behalf – cloud providers, email marketing platforms, IT service providers, analytics tools – those providers will generally act as processors under the GDPR. You must conclude a Data Processing Agreement (DPA) with each of them.

Under Art. 28(3) GDPR, the DPA must at a minimum cover the subject matter and duration of the processing, its nature and purpose, and the categories of data subjects and personal data involved. It must also ensure that the processor acts only on your documented instructions, maintains confidentiality, and does not engage sub-processors without your authorisation.

Example: A Swiss company uses a US-based email service for newsletters to EU customers and stores customer data in a cloud solution provided by a UK-based vendor. A DPA under Art. 28 GDPR must be concluded with both providers. Most major providers make their own standard contract terms available that address these requirements.

9. Assess whether a Data Protection Officer must be appointed (Art. 37 GDPR)

The EU GDPR representative is not a Data Protection Officer. The two roles are clearly distinct under the GDPR and cannot be filled by the same person.

Under certain conditions, companies outside the EU are also required to appoint a Data Protection Officer: namely, where their core activities consist of large-scale, regular, and systematic monitoring of individuals – such as extensive online tracking or profiling – or where they process special categories of data under Art. 9 GDPR on a large scale (Art. 37(1) GDPR).

The concept of “core activities” deserves careful attention. It is not sufficient that a company uses cookies somewhere or manages customer data. What is meant is that data processing of this kind is what the business model fundamentally depends on – not a mere ancillary function.

Example: A US company operates a platform that tracks and analyses the behaviour of millions of EU residents in order to deliver personalised advertising. Given the scale and systematic nature of this monitoring, it is required to appoint a Data Protection Officer – in addition to the EU representative under Art. 27 GDPR.

The Data Protection Officer does not need to be based in the EU. What matters is that the appointed individual or organisation has the requisite expertise in data protection law.