Representative of controllers or processors not established in the Union. There is a difference between a „contact point“ and an EU representative.
Pursuant to Article 3(2) of the GDPR, the geographical scope of application of the GDPR also extends to controllers and processors who are not established in the European Union (EU). Controllers and processors that are not established in the EU must appoint a representative in certain cases pursuant to Article 27 of the GDPR.
The obligation to appoint a representative is intended to improve the practical applicability of the GDPR for processing operations outside the Union.
Conditions and exceptions for the EU representative duty
Processing of personal data of individuals located within the EU with the purpose,
-
-
- offer goods or services to them or
- to observe their behaviour.
-
Exceptions (two exceptions Art. 27 (2) GDPR) exist when the data processing is
- is only occasional,
- does not involve extensive processing of „sensitive“ categories of data (Art. 9 DS-GVO special categories of personal data and Art. 10 DS-GVO) and
- the data processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, circumstances, scope and purposes of the processing.
These three conditions must be met cumulatively for the exception to apply. [1]
When examining whether the requirements of the exception pursuant to Article 27 (2) (a) of the GDPR are met, it is not a matter of specific individual processing operations. Rather, all processing operations to which the GDPR applies according to Art. 3(2) of the GDPR must be taken into account.[2]
Who can be appointed as EU representative?
A ‚representative‘ is a natural or legal person established in the Union and designated by the controller or processor (Article 4(17) GDPR). Accordingly, any natural or legal person established in the Union may be a representative within the meaning of Article 27(1) of the GDPR.
Prerequisites for a designation
The GDPR does not regulate requirements for a data protection qualification or professional prerequisites that a representative must fulfil. However, data protection supervisory authorities (and the literature) point out that the representative must be sufficiently trustworthy and able to perform his or her duties according to his or her skills and organisational equipment.[3]
Pursuant to Article 3 (2) of the GDPR, the appointment must be made in writing. The written form refers explicitly to the appointment. Notwithstanding that the controller or processor should explicitly appoint the representative in writing (Recital 80).
Tasks of the EU representative
First of all: The data protection obligations incumbent on the controller or processor cannot be transferred to the latter alone by appointing a representative (cf. Art. 27 (5) GDPR). The controller or processor is and remains legally obliged within the meaning of the GDPR and responsible for the implementation of and compliance with the data protection requirements.
The main task of the representative is to assist his principal in fulfilling his duties and to represent him in their fulfilment.
However, the representative also has legal obligations under the GDPR, these are:
- Keeping records of all processing activities, which may be made available to the supervisory authority upon request (Article 30 (4) of the GDPR).
- Contact point for all questions related to processing for data subjects and supervisory authorities in particular, in order to ensure compliance with the GDPR.
- The representative must cooperate with the supervisory authority in the performance of the tasks of the controller or processor upon request (Art. 31 GDPR).
The designation pursuant to Art. 27 GDPR does not put the representative in the legal position of a representative, which corresponds to German civil law (cf. Section 164 (1) BGB).
Furthermore, the EU representative is bound by instructions. He therefore lacks the decision-making leeway to make declarations of intent on behalf of the controller or processor.
More than just a contact point
It is therefore not merely a contact point for data protection supervisory authorities or data subjects, acting as a kind of „mailbox“.
Violations of Art. 27 of the GDPR can be sanctioned with fines of up to EUR 10 million or up to two percent of the total annual worldwide turnover of the previous year pursuant to Art. 83 Art. 4 lit. a of the GDPR.
We take over the function as EU representative according to Art. 27 GDPR as controller or processor in third countries for your company.
Send us a message at consulting@adorgasolutions.de or call us on +49 173 8198864.
Further information about our offer: https://www.adorgasolutions.de/leistungen/datenschutz/eu-vertreter-nach-art-27-dsgvo/
[1] EDSA, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), version 2.0 of 12.11.2019 https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_consultation_de.pdf (last accessed 26.05.2023).
[2] Lang, M. (2022), Art. 27 DSGVO, In: Taeger, J., Gabel, D. (Eds.), DSGVO – BDSG – TTDSG, 4th edition, dfv Mediengruppe.
[3] Lang, M. (2022), Art. 27 DSGVO, para. 38, In: Taeger, J., Gabel, D. (eds.), DSGVO – BDSG – TTDSG, 4th edition, dfv Mediengruppe.