Companies not established in the EU (or EEA) that process personal data regarding data subjects located in the European Union have to designate a “Representative in the Union” according to Art. 27 GDPR (also called EU Representative). The EU Representative serves as point of contact for the supervisory authorities and for data subjects in all matters relating to the processing of personal data. This obligation will be particularly relevant for companies from the United Kingdom due to the imminent expiry of the Brexit transition period on 31 December 2020.
1. When do I have to designate an EU Representative
According to the European General Data Protection Regulation (GDPR) your company is obliged to appoint a representative in the European Union (EU) as contact for all questions on data protection from EU citizens and data protection supervisory authorities if both of the following conditions (a. and b.) are met:
a. Your company is not established in the EU
This is the case if
- you do not have an office in an EU member state,
- you do not have a subsidiary in an EU member state, and
- you do not have any other kind of establishment in an EU member state.
b. Your company processes the data of people located in the EU
Your company processes the data of persons in the Union either (i) in connection with the supply of goods or services or (ii) to monitor the behaviour of these persons.
i. Offering Services or Products to Data Subjects in the EU
This is typically the case if you
- sell goods via an online shop,
- provide an online service or app,
- deliver goods to customers in EU member states,
- use EU website domains, such as .de, .fr, .es or .eu,
- use languages (on your website) or accept currencies of at least one EU member state (e.g. US company accepts Euro, Chinese company with German website),
- use specific product branding for the EU market,
- run marketing campaigns aiming at the EU market (e.g. landing pages for EU visitors, competition, raffle), or
- provide specific contact details for EU customers.
ii. Monitoring the Behaviour of People in the EU
The GDPR also covers the processing of data for the purpose of monitoring the behaviour of individuals in the EU. This is typically the case if your company
- tracks website visitors from the EU by using cookies or device fingerprinting,
- collects location or behavioural data (e.g. through websites, mobile apps or market surveys), or
- offers fitness tracking, personalised diet and health analytics services online.
2. The Role of EU Representative and Documentation Requirements
The EU Representative cooperates with the EU supervisory authorities on behalf of your company. Further, he serves as contact for data subjects, for the purposes of ensuring compliance with the GDPR and keeps a record of data processing activities carried by your company.
3. Documentation Obligations
Under the principle of accountability (Art. 5(2) GDPR) your company is obliged to maintain a documentation of all data subject requests. The EU Representative will assist you with proper documentation of incoming requests.
4. Expiry of the Brexit transition period: UK becomes a third country
After the end of the Brexit transition period on 31 December 2020, the UK will be considered a third country within the meaning of Chapter V of the GDPR as of 1 January 2021. Companies based in the UK should therefore check whether they will have to appoint an EU Representative pursuant to Art. 27 GDPR as of 1 January 2021.
5. Legal consequences of non-compliance
A breach of the appointment of an EU representative is subject to a fine of up to EUR 10 million or 2% of the annual global turnover (whichever is higher) pursuant to Article 83(4)(a) of the GDPR.
PLANIT // LEGAL will be happy to take on the role of EU Representative and the associated tasks for your company. Please contact us at mail@planit.legal.