When is there an ob­li­ga­ti­on to appoint an EU re­pre­sen­ta­ti­ve under the GDPR?

Re­pre­sen­ta­ti­ve of con­trol­lers or pro­ces­sors not es­tab­lished in the Union. There is a dif­fe­rence between a „contact point“ and an EU representative.
Pur­su­ant to Article 3(2) of the GDPR, the geo­gra­phi­cal scope of ap­pli­ca­ti­on of the GDPR also extends to con­trol­lers and pro­ces­sors who are not es­tab­lished in the Eu­ro­pean Union (EU). Con­trol­lers and pro­ces­sors that are not es­tab­lished in the EU must appoint a re­pre­sen­ta­ti­ve in certain cases pur­su­ant to Article 27 of the GDPR.

The ob­li­ga­ti­on to appoint a re­pre­sen­ta­ti­ve is in­ten­ded to improve the prac­ti­cal ap­pli­ca­bi­li­ty of the GDPR for pro­ces­sing ope­ra­ti­ons outside the Union.

Con­di­ti­ons and ex­cep­ti­ons for the EU re­pre­sen­ta­ti­ve duty

Pro­ces­sing of per­so­nal data of in­di­vi­du­als located within the EU with the purpose,

• • • offer goods or ser­vices to them or
    • to observe their behaviour.

Ex­cep­ti­ons (two ex­cep­ti­ons Art. 27 (2) GDPR) exist when the data pro­ces­sing is

• is only occasional,
• does not involve ex­ten­si­ve pro­ces­sing of „sen­si­ti­ve“ ca­te­go­ries of data (Art. 9 DS-GVO special ca­te­go­ries of per­so­nal data and Art. 10 DS-GVO) and
• the data pro­ces­sing is un­li­kely to result in a risk to the rights and free­doms of natural persons, taking into account the nature, cir­cum­s­tances, scope and pur­po­ses of the processing.

These three con­di­ti­ons must be met cu­mu­la­tively for the ex­cep­ti­on to apply. [1]

When ex­ami­ning whether the re­qui­re­ments of the ex­cep­ti­on pur­su­ant to Article 27 (2) (a) of the GDPR are met, it is not a matter of spe­ci­fic in­di­vi­du­al pro­ces­sing ope­ra­ti­ons. Rather, all pro­ces­sing ope­ra­ti­ons to which the GDPR applies ac­cor­ding to Art. 3(2) of the GDPR must be taken into account.[2]

Who can be ap­poin­ted as EU representative?

A ‚re­pre­sen­ta­ti­ve‘ is a natural or legal person es­tab­lished in the Union and de­si­gna­ted by the con­trol­ler or pro­ces­sor (Article 4(17) GDPR). Ac­cor­din­gly, any natural or legal person es­tab­lished in the Union may be a re­pre­sen­ta­ti­ve within the meaning of Article 27(1) of the GDPR.

Pre­re­qui­si­tes for a designation

The GDPR does not re­gu­la­te re­qui­re­ments for a data pro­tec­tion qua­li­fi­ca­ti­on or pro­fes­sio­nal pre­re­qui­si­tes that a re­pre­sen­ta­ti­ve must fulfil. However, data pro­tec­tion su­per­vi­so­ry aut­ho­ri­ties (and the li­te­ra­tu­re) point out that the re­pre­sen­ta­ti­ve must be suf­fi­ci­ent­ly trust­wor­t­hy and able to perform his or her duties ac­cor­ding to his or her skills and or­ga­ni­sa­tio­nal equip­ment.[3]

Pur­su­ant to Article 3 (2) of the GDPR, the ap­point­ment must be made in writing. The written form refers ex­pli­cit­ly to the ap­point­ment. Not­wi­th­stan­ding that the con­trol­ler or pro­ces­sor should ex­pli­cit­ly appoint the re­pre­sen­ta­ti­ve in writing (Recital 80).

Tasks of the EU representative

First of all: The data pro­tec­tion ob­li­ga­ti­ons in­cum­bent on the con­trol­ler or pro­ces­sor cannot be trans­fer­red to the latter alone by ap­poin­ting a re­pre­sen­ta­ti­ve (cf. Art. 27 (5) GDPR). The con­trol­ler or pro­ces­sor is and remains legally obliged within the meaning of the GDPR and re­spon­si­ble for the im­ple­men­ta­ti­on of and com­pli­ance with the data pro­tec­tion requirements.

The main task of the re­pre­sen­ta­ti­ve is to assist his prin­ci­pal in ful­fil­ling his duties and to re­pre­sent him in their fulfilment.

However, the re­pre­sen­ta­ti­ve also has legal ob­li­ga­ti­ons under the GDPR, these are:

• Keeping  records of all pro­ces­sing ac­ti­vi­ties, which may be made available to the su­per­vi­so­ry aut­ho­ri­ty upon request (Article 30 (4) of the GDPR).
• Contact point for all ques­ti­ons related to pro­ces­sing for data sub­jects and su­per­vi­so­ry aut­ho­ri­ties in par­ti­cu­lar, in order to ensure com­pli­ance with the GDPR.
• The re­pre­sen­ta­ti­ve must co­ope­ra­te with the su­per­vi­so­ry aut­ho­ri­ty in the per­for­mance of the tasks of the con­trol­ler or pro­ces­sor upon request (Art. 31 GDPR).

The de­si­gna­ti­on pur­su­ant to Art. 27 GDPR does not put the re­pre­sen­ta­ti­ve in the legal po­si­ti­on of a re­pre­sen­ta­ti­ve, which cor­re­sponds to German civil law (cf. Section 164 (1) BGB).

Fur­ther­mo­re, the EU re­pre­sen­ta­ti­ve is bound by in­s­truc­tions. He the­r­e­fo­re lacks the de­cis­­i­on-making leeway to make de­cla­ra­ti­ons of intent on behalf of the con­trol­ler or processor.

More than just a contact point

It is the­r­e­fo­re not merely a contact point for data pro­tec­tion su­per­vi­so­ry aut­ho­ri­ties or data sub­jects, acting as a kind of „mailbox“.

Vio­la­ti­ons of Art. 27 of the GDPR can be sanc­tion­ed with fines of up to EUR 10 million or up to two percent of the total annual world­wi­de tur­no­ver of the pre­vious year pur­su­ant to Art. 83 Art. 4 lit. a of the GDPR.

We take over the func­tion as EU re­pre­sen­ta­ti­ve ac­cor­ding to Art. 27 GDPR as con­trol­ler or pro­ces­sor in third count­ries for your company.
Send us a message at consulting@adorgasolutions.de or call us on +49 173 8198864.

Further in­for­ma­ti­on about our offer: https://www.adorgasolutions.de/leistungen/datenschutz/eu-vertreter-nach-art-27-dsgvo/ 

[1] EDSA, Gui­de­lines 3/2018 on the ter­ri­to­ri­al scope of the GDPR (Article 3), version 2.0 of 12.11.2019 https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_consultation_de.pdf (last ac­ces­sed 26.05.2023).

[2] Lang, M. (2022), Art. 27 DSGVO, In: Taeger, J., Gabel, D. (Eds.), DSGVO – BDSG – TTDSG, 4th edition, dfv Mediengruppe.

[3] Lang, M. (2022), Art. 27 DSGVO, para. 38, In: Taeger, J., Gabel, D. (eds.), DSGVO – BDSG – TTDSG, 4th edition, dfv Mediengruppe.