Are you a company or organization outside the European Economic Area (EEA) and process personal data of individuals within the EU? If so, this information is critical for you. The General Data Protection Regulation (GDPR) may require you to appoint an EU representative, even if your organization does not have a physical presence within the EU.
To whom does this obligation apply?
This rule applies to controllers and processors who:
- are located outside the European Union or EEA;
- Have offices, branches or subsidiaries in the EU/EEA;
- or:
- Offer goods or services to persons in the EU (even if free of charge); or
- monitor behavior of individuals in the EU, for example through tracking cookies, behavioral analysis or profiling.
In short, if your organization processes EU citizens’ personal data for commercial or analytical purposes, you must comply with the EU GDPR and appoint an EU GDPR representative.
What does the appointment of an EU representative under GDPR entail?
If you fall under this provision, you must enter into a written agreement with a GDPR representative in the EU such as DPO Associates bv. This representative will act on behalf of your organization to:
- data protection authorities in the EU;
- data subjects (individuals whose personal data you process).
The representative can be an individual or an organization (such as an EU DPO service provider, law firm or privacy consultancy) and must be based in an EU member state where at least part of your target audience is located.
According to Article 27 of the GDPR, this appointment is mandatory for companies without an EU office or headquartered outside the EEA that are subject to the GDPR.
What are your obligations?
- Appoint representative in an appropriate EU member state;
- Enter into a written agreement defining the representative’s mandate;
- Include contact information for the representative in your privacy notice or in the information you provide to data subjects;
- Also make this information publicly available, e.g. through your website;
- Appointing a representative does not relieve you of your own responsibility or liability under the GDPR.
For further clarification, consult the official guidelines of the European Data Protection Board (EDPB).
Sample situation
Example
A Canadian e-commerce company sells sporting goods to customers in Germany, France and Spain. The company has no physical presence in Europe, but uses Google Analytics to track the behavior of European visitors. Because it actively offers services to EU consumers as well as monitors their behavior, the company must appoint an EU GDPR representative.
It chooses to appoint a privacy consultant in Germany as its representative. This consultant acts as a point of contact for German regulators and consumers. Contact details are included in the privacy statement on the website and can be easily found through a the privacy statement.
Looking for a GDPR representative in Europe?
If you need support in appointing a representative or DPO in the EU, we offer a full service. Contact us to become compliant with European privacy laws.
Read more:
