This country’s post-Brexit data protection regime, the UK GDPR (General Data Protection Regulation), requires non-UK organisations that process UK residents’ personal data to appoint a representative in the UK.

In the same way, the EU GDPR requires non-EEA organisations that process EU residents’ personal data to appoint a representative in the EU. This blog post explains who this requirement applies to – and what they need to do.

Who does the EU GDPR apply to?

When it took effect in 2018, the EU GDPR significantly reshaped European data protection law. One of the most notable changes it introduced is its broad territorial reach.

The Regulation applies not only to organisations established in the EU, but also to controllers and processors around the world that handle the personal data of EU residents. Under Article 27, many of these organisations must formally appoint an EU representative.

Who exactly needs an EU representative?

You are likely to require an EU GDPR representative if your organisation:

• Has no establishment or staff located in the EU or EEA,
• Provides goods or services to customers in EU member states, or
• Tracks or profiles the behaviour of individuals in the EU.

You are not required to appoint an EU representative if your processing is only occasional, does not involve large-scale use of special category or criminal data, and is unlikely to present a high risk to individuals’ rights and freedoms.

Who can act as an EU representative and what do they do?

As the title suggests, EU representatives must be established in the EU and work on behalf of non-EU-based organisations.

The appointment must be made in writing and should clearly set out the scope of the representative’s responsibilities.

Their tasks include:

• Acting as the designated contact for supervisory authorities and data subjects regarding GDPR obligations and processing activities, and
• Keeping records of processing activities, as required by Article 30 of the GDPR.

The EDPB (European Data Protection Board) has confirmed in its Guidelines 3/2018 that this requirement applies whenever the GDPR’s extraterritorial provisions (Article 3(2)) are triggered.

Free download: Appointing an EU Representative – What UK organisations need to know

Download our free white paper to learn more about:

• The legislative background;
• Who needs a GDPR or NIS Directive representative;
• How to designate a representative; and
• The duties of the representative.

Selecting your EU representative

Your EU representative can be any natural or legal person who’s based in an EU member state within which you collect personal data.

If you only collect information from data subjects in, say, France, your EU representative must be based in France. However, if you collect personal data from the entirety of the EU, you can appoint a representative in any EU member state.

When you have multiple countries to choose from, it’s best to select the one in which you collect the most data or conduct the most extensive monitoring.

Appoint your EU representative today

If you need an EU representative, we’re here to help.

Our sister company GRCI Law’s team of lawyers and information and cyber security experts can take the strain of GDPR compliance, acting as your EU representative for personal data processing activities.

• With a background in compliance spanning over 20 years, their qualified data protection professionals understand the precise requirements of the EU GDPR.  
• Our efficient service enables you to appoint an EU Representative, and fulfil article 27 of the EU GDPR, within hours. 
• Transparent pricing means you know what you’re paying – no surprises. 

A version of this blog was originally published in March 2019.