Your company provides services or products in the European Union? You digitally monitor the behaviour of people in the EU but do not have a corporate office in the EU?
In this case, the European General Data Protection Regulation (GDPR) requires that you appoint a representative in the Union as the contact person for all questions on data protection from EU citizens and data protection supervisory authorities.
Tasks | Benefits | Services | Appointment | Free quote | FAQ
As your representative in the Union we will be the contact person for your customers (“data subjects”) in all European countries for all privacy issues.
Your EU representative will be legally appointed to represent you as the “controller” when dealing with data protection supervisory authorities in the EU.
We will establish and maintain your records of processing activities together with you. If requested, we will provide these records to authorities.
Our consultants and lawyers have many years of experience in data protection.
At our law firm, we speak ten languages and know the data protection laws of many EU countries in detail.
You can book a certain number of data protection inquiries made by your clients or supervisory authorities for a fixed monthly rate (flat rate).
First, we will evaluate all personal data processing and the relevant documents in your company.
In a preliminary discussion (via teleconference), our experts will brief your management and other supervisors about data processing in accordance with the GDPR.
Then, based on your information, we will create/optimise all the necessary records of processing activities for your business.
As soon as these mandatory preparations have been completed, our work as your EU representative begins.
If you would like to appoint a data protection expert from activeMind.legal as your representative in the European Union, please send us the following information, and we’ll send you with a non-binding offer!
Please note that we only answer fully completed inquiries!
Please choose the suitable package:
Yes, my company provides services or goods in Germany.
Your personal information:
Information about your company:
Please provide us with any additional information below that we could utilise to provide you with a more-concise offer that best fits your data protection needs.
Companies that do not have an office in the EU yet provide their products or services within the European Union must appoint a representative in the Union if they process personal data (GDPR Art. 27(1)).
The GDPR extends its ‘territorial scope’, i.e. its scope of application, to controllers and processors having their registered office in a country outside of the EU. Moreover, the GDPR applies to the processing of personal data of individuals residing in the EU, regardless of their nationality (GDPR Art. 3(2)). It is thus irrelevant where the company is located and where the processing takes place as long as the processed data pertains to individuals residing in the EU. It is also important to remember that the rules apply to both controllers and processors of personal data, e. g. cloud providers will not be exempt from the enforcement of GDPR.
A non-EU-based company (i.e. without a corporate office in the EU), which intends to offer products, goods or services to ‘data subjects’, i.e. an identified or identifiable natural person, in one or more EU countries, needs to fulfil the requirements stated in the GDPR. Even free services are covered by this regulation.
The same applies to non-EU-based companies that monitor the behaviour of EU residents (e.g. by creating a profile), in so far as their behaviour takes place in the EU. Monitoring includes the tracking of individuals online to create profiles, including where this data is used to make decisions about these individuals or to analyse or predict their personal preferences, behaviours and attitudes. However, the mere accessibility of a company’s website in the EU may not necessarily fall within this scope (GDPR Retical 23).
The EU-based representative serves as the first point of contact with your business for data subjects and the data protection supervisory authorities. Thereby enforcement of the GDPR shall be guaranteed. The designation of the representative shall be without any prejudice to legal actions that can be taken against a respective controller or processor.
The GDPR includes exemptions to the obligations of appointing a representative for controllers or processors not based in the EU.
According to art. 27(2)(a) of the GDPR, a representative is not required when a company is processing EU personal data, if
It is important to know that the controller/processor must fulfil all these conditions in order to be exempt from the obligation to appoint a representative.
Public authorities or bodies are generally exempt from the requirement in Article 27.
Any natural or legal person who resides in one of the Member States can be appointed as a representative in the Union for a non-EU-based company (GDPR art. 4 (17)).
The representative must have a business or personal residence in the EU. Further, the representative’s residence must be in one of the EU Members State where the data subjects whose personal data the company processes are located (GDPR Art. 27(3)). Companies processing personal data in different Member States will therefore have a range of countries to choose from. The wording of the provision is clear, as it requires the representative to be located in ‘one of the Member States’.
With respect to the tasks of the representative, it is advisable to consider a representative who is not only appropriate for the company but also has a broad understanding of legal and technical data protection issues. It is also important to bear in mind that a controller or processor is not in compliance with the legal requirement to appoint a representative in the Union if the representative is unfit to fulfil the respectively assigned obligations according to the GDPR.
Since the EU-based representative serves as the contact person for all issues related to the company’s processing of personal data under the GDPR, he or she must be in a position to communicate effectively with data subjects and to cooperate effectively with the relevant data protection supervisory authorities. This means that communication must take place in the language(s) used by the data subjects and the data protection supervisory authorities.
The appointment of an EU representative for companies without an office in the EU must be made in writing (GDPR Art. 27 (1)).
The written agreement or the contract should at least state the rights and obligations of the representative. An oral appointment of the representative is excluded.
The main job of the representative is to operate as the local liaison with the data subjects and the supervisory authorities. Thus, the representative acts on behalf of the controller or the processor with regard to their obligations under the GDPR.
This representation applies, for example, to the rights of data subjects (Chapter III of the GDPR) and the collaboration with the respective supervisory authorities with regard to any action taken to ensure compliance with this regulation (GDPR Recital 80 and Art. 31).
Additional tasks could include maintaining records of processing activities (GDPR Art. 30 (1) and (2)) and where applicable making the records available to the supervisory authority (GDPR Art. 30(4)).
The designation of an EU-based representative does not affect the responsibility or liability of the controller or of the processor under GDPR. Art. 27(4), which stipulates that the representative acts ‘in addition’ or ‘instead of’ the controller or processor when performing the obligations to data subjects or supervisory authorities. The appointment of a representative does not replace or limit the duties of the company located in a country outside of the EU.
The appointment of the representative in the Union is made without prejudice to legal actions which could be initiated against the controller or processer. They shall therefore be responsible to meet the regulatory obligations when processing personal data of EU residents.
A representative may be subject to enforcement actions by data protection supervisory authorities in the event of non-compliance by the controller (GDPR Art. 58). The representative may be requested by the supervisory authority to provide all the information necessary to fulfil his/her duties. If the requested information is not available to the representative, it must be obtained from the data controller/processor.
Rechtsanwaltsgesellschaft m. b. H
Potsdamer Straße 3
80802 München, Germany
Phone: +49 (0)89 / 919 29 49 00
Email: Contact form
Rechtsanwaltsgesellschaft m. b. H
10707 Berlin, Germany
Phone: +49 (0)30 / 770 19 10 70
E-mail: Contact form
Full text of the GDPRFull text of the German FDPA
© Copyright - activeMind.legal