EU Representative: Tasks and Advantages

An EU representative is a role that serves as the main point of contact for non-EU companies, handling communication with data subjects and supervisory authorities regarding data processing and compliance with GDPR.

This role is public: in accordance with GDPR you must add your Representative’s contact details to a noticeable place on your website or in your app so the supervisory authorities or consumers can easily find them and contact you through them, if necessary. 

When do you need an EU representative?

Article 27 of the General Data Protection Regulation (GDPR) requires data controllers and processors that offer goods and services to or monitor the behaviour of the EU residents but are not established in the EU to designate a representative within the Union. There is also an exception for data controllers and processors to whom this provision is not applicable. 

The exception applies to those controllers and processors that:

• process personal data occasionally;
• do not process any data on a large scale;
• do not process any special categories of personal data (Article 9(1) GDPR) or data related to criminal convictions and offences (Article 10 GDPR);
• do not carry out processing operations that are likely to result in a risk to the rights and freedoms of natural persons.

Is there a penalty for not designating an EU representative?

In short – Yes.

For violating the provisions of the GDPR, the data controller or processor may be charged with a fine of up to 20 million EUR or 4% of the total annual turnover for the previous year, whichever is greater. This penalty applies to the designation of the EU representative. Further listed examples of fine practice concerned:

• Locatefamily.com received a 525,000 EUR fine due to not appointing an EU representative. Because of that, data subjects could not contact the company and exercise their rights.
• Clearview AI Inc. was fined 30,500,000 EUR, and among the not-so-short list of committed violations was that Clearview AI Inc. had not appointed a representative within the European Union as required under the GDPR.
• Senseonics Inc. was fined 45,000 EUR, and one of the noted breaches was the company’s failure to designate a representative within the European Union, which the GDPR mandates.

Considering the abovementioned practice, make sure to designate an EU representative if relevant provisions of the GDPR are applicable to your company.

Duties and responsibilities of an EU representative

The primary responsibility of an EU representative is to be the main contact point between the data controller or processor and data subjects or Data Protection Authorities (DPAs). Representative’s duties include in particular:

• receiving and transferring requests regarding data processing from data subjects in the EU to controller or processor;
• ensuring efficient communication between the controller or processor and data subjects;
• receiving requests from DPAs and informing the controller or processor of such requests;
• ensuring efficient communication between the controller or processor and a DPA;
• maintaining records of processing (RoPA) and making them available to a DPA on request.

To perform its duties, the role and contact details of the EU representative must be specified in all relevant company contact points and documents.

Designation

The GDPR obliges applicable controllers and processors to designate an EU representative through a written mandate (such as a contract). This written document shall include the provisions that authorise a representative to act on behalf of the controller or processor.

The representative shall also be established in one of the EU member states where the data subjects whose personal data are processed reside. If a significant number of data subjects are located in a specific member state, the representative shall be designated in that same state. Nonetheless, the representative must still be readily accessible to data subjects from other member states.

Can the same person simultaneously act as an EU representative and Data Protection Officer? 

In short – No.

The GDPR states that DPO has to fulfil its duties with a certain independence, without receiving any instructions regarding the exercise of its tasks, where the EU representative operates on behalf and under direct instructions from the company. This can lead to a conflict of interest.

Furthermore, the EDPB in the Guidelines 3/2018 emphasises that these roles are not compatible. 

Liability of a representative

Unlike a DPO, an EU representative can be liable, acting as a legal contact point of a controller or processor in the case of GDPR noncompliance or infringement in the course of the performance of their duties.

In conclusion, understanding the role of an EU representative is crucial for businesses looking to operate within the European Union. As you prepare to launch your venture, be sure to familiarise yourself with the GDPR obligations and the importance of designating a representative.

Be aware that you can always contact us and schedule a meeting with our team to learn more about details and use cases or discuss your organisation’s unique needs.