Do we need a representative in the EU?

The GDPR is famous for its extraterritorial application, which basically means that it will apply not only to EU/EEA organizations but also to those located outside the EU/EEA if they meet certain conditions of the GDPR. According to the regulation, if an organization is not based (it does not have a branch, office or other establishment) in the EU/EEA, but still, either (i) offers goods or services to individuals in the EU/EEA; or (ii) monitors the behavior of individuals in the EU/EEA, then it still needs to comply with the GDPR regarding this processing.

If you are an organization with no base in the EU then you must appoint a representative in the EU. A representative will act on your behalf in relation to GDPR compliance matters, including dealing with supervisory authorities and data subjects. 

Who can be a representative?

A representative may be an individual, or a company or organization established in the EU that is able to represent you regarding your obligations under the GDPR. It could be a lawyer, data protection expert, law firm, or consulting company. 

You need to authorize the representative to act on your behalf in writing. In practice the easiest way to appoint a representative is by a simple service contract to carry out representative services.

When you don’t have to appoint a representative?

Even though GDPR requires organizations with no base in the EU to appoint a representative, it does, however, leave room for certain organizations to not appoint an EU representative if certain conditions are present. Consequently, you do not need to appoint a representative if either:

• you are a public authority; or
• your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offense data.
  

Location of the representative

An EU representative should be located in the EU country where the data subjects whose data they process are residing. If an organization processes personal data of data subjects located in various EU countries then it only has to appoint a representative in only one of them. When choosing the country the organization must take into account in which country it has the most data subjects. 

For example, A consulting company is established and located in Canada with no offices in other EU countries. It has regular clients in Estonia, Malta and Belgium with most of the clients being located in Estonia. The company must appoint an EU representative to act as its direct contact for data subjects and EU supervisory authorities. This representative may be based in Estonia, Malta or Belgium, but not any other EU member state. However, since most of the clients are located in Estonia, it is recommended to appoint a representative in Estonia. 

It must be noted that organizations do not have to notify or register their representatives with supervisory authorities. But they must provide this information to their data subjects, for example in their privacy policy. 

Are DPO and EU representative the same?

Sometimes the difference between an EU representative and a Data Protection Officer (DPO) is not clear for organizations. Some even consider the two roles being the same. In reality, it is not like that. 

GDPR requires that DPOs must be able to perform their duties with a sufficient degree of autonomy within their organization. In particular, organizations are required to ensure that the DPO “does not receive any instructions regarding the exercise of his/her tasks”. GDPR Recital 97 states that DPOs, “whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”. On the other hand, there is no such a requirement of a sufficient degree of autonomy for EU representatives. The representative is subject to a mandate by an organization and will act on its behalf and therefore under its direct instruction.

Conclusion

Businesses that have no base in the EU shall analyze whether they fall under the scope of the EU representative requirement. If you do, you should look for an EU representative in the EU country or countries where your data subjects are located. You should appoint one representative in one country even if you have data subjects in multiple countries. There are service providers who provide EU representative services. In fact, EU representative service has recently emerged as a business model for many companies. You should also note that while it is recommended, it is not required to choose a representative that has a good level of expertise about the GDPR. The EU representative acts as a point of contact for data subjects and supervisory authorities and thus is not required to be an expert about the GDPR. It is the DPO that has to have a good level of expertise about the GDPR and data protection as this role is expected to help companies become GDPR compliant.