Do I need to appoint an EU-based representative?

Owned by Heather Hartman (Unlicensed)
Last updated: Oct 16, 2019
2 min read

Disclaimer

This article is written in collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.


GDPR states that businesses that are not located in the EU (or don’t have a branch or subsidiary in EU) will have to appoint an EU-based representative (GDPR Art. 27).

Yes, you read this right. I personally feel that this is way too much to demand from foreign companies – but that’s unfortunately the current state of the law.

The representative must be a legal entity or a person with whom you have an arrangement to represent you or your company in any GDPR-related issues. The representative should be knowledgeable in data protection-related issues and proficient in communicating with data subjects as well as supervisory authorities.

According to GDPR Art. 4 (17): “Representative means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.”

Seriously? Is there any way around this?

Probably not.

GDPR article 27 (2) states that obligation to appoint representative shall not apply to:

(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.

Unless you are a public authority or body, your way out of this obligation would be only if your processing:

  1. is occasional; and
  2. does not include processing of sensitive data or data relating criminal convictions on a large scale; and
  3. is unlikely to cause risks to rights and freedoms of data subject.

All these conditions have to be met in order to be free of obligation to appoint representative.

However, if you actually target EU based customers or users and actively sell your products or provide a service in the EU, it is very likely that you would not be considered exempt from the law. In this case, you will most likely have to appoint representative.

Some law firms and other companies offer this as a service. You can find some of them via Google – or alternatively sign up to our mailing list. In April, we’ll put together a list of reasonable choices and share it with you.

This requirement is stupid, what happens if I just ignore it?

We will find that out after May 25 

Sign up to our newsletter if you’d like to get notified if something interesting happens.