Empowering tomorrow’s leaders. Mission

  • About us
  • Newsroom
  • Clients
  • backgound image

    EU Representative – A Hidden Obligation under the GDPR

    Summary: In this article, Illia Shenheliia explains circumstances in which non-EU resident companies are required to appoint a representative in the Union under the GDPR, and discusses liability they could face for violating this requirement

    Authors:

    avatar
    Illia Shenheliia

    Associate partner

    preview

    In this article, Illia Shenheliia explains which non-EU resident companies are required to appoint an EU representative under the GDPR, who can serve as such representative, and discusses other related issues.

    Requirement to Appoint Representative in EU

    In May 2018, the European Union saw the General Data Protection Regulation (GDPR) come into force. GDPR rules apply to European companies (residents) and, in some cases, to companies outside the EU (non-residents).

    One of the obligations applicable to the non-EU resident companies is an obligation to appoint a representative in the EU.

    For instance, this requirement often applies to foreign companies exporting services to the European Union and non-resident companies that collect or process personal data of individuals in the EU.

    Highlight:

    Among lawyers, this obligation is even referred to as hidden, as many are simply unaware of it.



    The issue of appointing an EU representative has become topical again after the European Data Protection Board (EDPB) prepared Guidelines 3/2018 on the territorial scope of GDPR, the last section of which is dedicated to this matter. EDPB is the EU body responsible for a uniform policy on personal data protection legislation application. Its clarifications are used by regulatory authorities in applying GDPR, so they should be taken seriously.

    Personal data is considered any information that directly or indirectly identifies an individual (name, email, IP address, photo, etc.).

    Who Must Appoint an EU Representative?

    A representative in the EU must be appointed by a physical or legal person if it meets all three of the following criteria:

    • collects or processes personal data of individuals in the EU,

    • is located outside the EU, and

    • offers goods or services, or monitors the behavior of individuals in the EU.

    If the majority of the data subjects are located in one EU country, it's recommended to appoint a representative specifically in that country. For example, if a foreign company without representation in the EU sells products to consumers from Italy (20%), Spain (30%), and France (50%), it is advised to appoint a representative in France.

    Exceptions

    However, there's an exception. A representative does not need to be appointed if data processing: (1) is occasional, doesn't involve large-scale processing of special categories of data (e.g., about race, religion) or criminal offence data, and (2) is unlikely to pose a risk to the rights and freedoms of individuals.

    Processing is considered occasional if it's not part of the company's normal operations, occurs under random circumstances, and at arbitrary intervals. For instance, if a non-EU company organizes a one-time conference in Berlin, collecting personal data of German citizens, it doesn't need to appoint an EU representative.

    Who Can Be a Non-Resident's Representative in the EU?

    The representative can be any physical or legal entity residing or registered in the EU, such as an employee, consultant, agent, law firm, or another company. A contract or other document must be signed, as GDPR requires the appointment of a representative "in writing." One person can simultaneously represent an unlimited number of non-residents.

    It's important to note that the EU representative cannot simultaneously be the Data Protection Officer (DPO) — EDPB stated this in its Guidelines 3/2018. Therefore, it's recommended to separate these roles to avoid regulatory bodies interpreting such "combination" as lacking a DPO or representative.

    Responsibilities of the Representative

    The EU representative acts as the non-resident's contact in the Union. They can receive any inquiries regarding the non-resident's compliance with GDPR, for example, requests from individuals (data subjects) or government bodies. In essence, the representative's role is passive, as they merely act as an intermediary in communications with the non-resident they represent.

    The only "active" duty of the representative is maintaining a data processing register ("register of processing activities"). EDPB considers this a joint responsibility of the non-resident and their EU representative.

    Liability of the Representative

    Appointing a representative does not absolve the non-resident of responsibility for GDPR violations nor transfers their liability to the representative. However, the current wording of GDPR does not provide a clear understanding of when and to what extent the representative may be liable for Regulation breaches.

    Due to a lack of practice, there were two prevailing opinions regarding the representative's liability for GDPR violations:

    • The first was based on the notion that penalties are intended as punishment for violations. Therefore, if the representative did not breach their duties (namely, contact with governmental bodies and individuals, and maintaining a processing register) — they should not bear any liability.

    • The second opinion was based on a literal interpretation of GDPR's declarative norm (recital 80), suggesting that enforcement proceedings could be initiated against the representative in case of GDPR rules violation.

    • EDPB clarified that the representative should bear liability to the same extent as the non-resident they represent. Thus, the representative is a liable party for GDPR purposes.

    It's noteworthy that an earlier version of GDPR explicitly provided for the representative's liability alongside the non-resident they represent. The final edition of GDPR softened this provision regarding representatives, suggesting that the legislator decided not to penalize representatives for "others'" mistakes.

    Ultimately, EDPB's interpretation puts the representative at risk, while GDPR does not grant them sufficient rights and powers to prevent negative consequences, such as fines, at least for themselves.

    What if You Don't Appoint an EU Representative?

    Failing to appoint a representative can result in a fine of up to 10 million euros or up to 2% of the worldwide annual revenue of the preceding financial year.

    According to GDPR, a non-resident must include the contact details of their EU representative in their Privacy Notice (e.g., on their website's privacy policy). EDPB stated that if a non-resident company, required to provide its EU representative's contact details in the Privacy Notice, violates GDPR's transparency principle, it could face a fine of up to 20 million euros or up to 4% of the worldwide annual turnover of the previous financial year. It's worth noting that the actual fine amount for such a violation is likely to be far from the maximum.

    Enforcement Without an EU Representative

    It might seem that having an EU representative is the only way to hold a non-resident company accountable for GDPR violations.

    While EU regulatory bodies indeed rely on this method, there are other ways to combat violators. One should not overlook the possibility of recognizing and enforcing foreign court decisions in Ukraine, as in any other country worldwide.

    Considering Ukraine's current political and legal direction, along with a global trend towards stricter personal data protection rules, it's highly probable that a competent EU authority's decision to impose a GDPR violation fine would be recognized and enforced in Ukraine.

    GDPR itself, regarding the liability of individuals outside the EU, is terse. It stipulates that the European Commission and national data protection authorities should take necessary measures to develop international cooperation mechanisms for enforcing personal data protection legislation. This approach sounds like a "we'll figure it out later" strategy.

    Conclusion

    In conclusion, the role of the EU representative is contradictory. On one hand, GDPR describes the representative as the non-resident's contact person without granting them rights or powers in terms of personal data processing. On the other hand, if necessary, GDPR is prepared to impose fines for violations that the representative did not actually commit. This "punching bag" role clearly does not motivate non-residents to comply with this requirement.

    Despite the representative's contradictory role, an obligation is an obligation, and non-resident companies meeting the criteria above must appoint an EU representative, as even such a violation can lead to significant fines.

    Related publications