EU Representative: Tasks and Advantages

An EU representative serves as the main contact point for non-EU companies. It handles communication with data subjects and supervisory authorities. This includes matters related to data processing and GDPR compliance.

This role is public. According to GDPR, you must display your representative’s contact details in a noticeable place. Add them to your website or app. This ensures supervisory authorities or consumers can easily find and contact them if necessary.

When do you need an EU representative?

Article 27 of the General Data Protection Regulation (GDPR) requires certain data controllers to designate a representative. This applies to those offering goods or services to EU residents. It also includes those monitoring the behaviour of EU residents. The requirement applies to entities not established in the EU. There is also an exception for data controllers and processors to whom this provision is not applicable. 

The exception applies to those controllers and processors that:

• process personal data occasionally;
• do not process any data on a large scale;
• do not process any special categories of personal data (Article 9(1) GDPR) or data related to criminal convictions and offences (Article 10 GDPR);
• do not carry out processing operations that are likely to result in a risk to the rights and freedoms of natural persons.

Is there a penalty for not designating an EU representative?

In short – Yes.

If the GDPR provisions are violated, the data controller or processor may face significant fines. These fines can reach up to 20 million EUR or 4% of the total annual turnover from the previous year, whichever is higher. This penalty applies to the designation of the EU representative. Further listed examples of fine practice concerned:

• Locatefamily.com received a 525,000 EUR fine due to not appointing an EU representative. Because of that, data subjects could not contact the company and exercise their rights.
• Clearview AI Inc. was fined 30,500,000 EUR, and among the not-so-short list of committed violations was that Clearview AI Inc. had not appointed a representative within the European Union as required under the GDPR.
• Senseonics Inc. was fined 45,000 EUR, and one of the noted breaches was the company’s failure to designate a representative within the European Union, which the GDPR mandates.

Given this practice, ensure you appoint an EU representative if the relevant GDPR provisions apply to your company.

Duties and responsibilities of an EU representative

The primary responsibility of an EU representative is to be the main contact point between the data controller or processor and data subjects or Data Protection Authorities (DPAs). Representative’s duties include in particular:

• receiving and transferring requests regarding data processing from data subjects in the EU to controller or processor;
• ensuring efficient communication between the controller or processor and data subjects;
• receiving requests from DPAs and informing the controller or processor of such requests;
• ensuring efficient communication between the controller or processor and a DPA;
• maintaining records of processing (RoPA) and making them available to a DPA on request.

To perform its duties, the role and contact details of the EU representative must be specified in all relevant company contact points and documents.

Designation

The GDPR obliges applicable controllers and processors to designate an EU representative through a written mandate (such as a contract). This written document shall include the provisions that authorise a representative to act on behalf of the controller or processor.

The representative shall also be established in one of the EU member states where the data subjects whose personal data are processed reside. If a significant number of data subjects are located in a specific member state, the representative shall be designated in that same state. Nonetheless, the representative must still be readily accessible to data subjects from other member states.

Can the same person simultaneously act as an EU representative and Data Protection Officer? 

In short – No.

The GDPR requires the DPO to perform duties independently, without receiving instructions about their tasks. In contrast, the EU representative works on behalf of the company and follows its direct instructions. This can lead to a conflict of interest.

Furthermore, the EDPB in the Guidelines 3/2018 emphasises that these roles are not compatible. 

Don’t miss this: The Day-to-Day Work of a DPO

Liability of a representative

Unlike a DPO, an EU representative can be liable, acting as a legal contact point of a controller or processor in the case of GDPR noncompliance or infringement in the course of the performance of their duties.

In conclusion, understanding the role of an EU representative is crucial for businesses looking to operate within the European Union. As you prepare to launch your venture, be sure to familiarise yourself with the GDPR obligations and the importance of designating a representative.

Be aware that you can always contact us and schedule a meeting with our team to learn more about details and use cases or discuss your organisation’s unique needs.