Art. 27 GDPR – Representatives of companies not established in the Union

Do I need a representative?

For many companies outside of the European Union it is not clear whether they need to appoint a representative for data protection purposes.

You will NOT need to fulfill this requirement when:

  1. processing which is occasional, and does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10 And is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
  2. you are a public authority or body.

If you concluded that you do need to appoint a representative and you would like that to be an experienced firm in data protection matters, do contact us. We can be your representative in the EU.

Tasks of the representative

The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.

The representative shall be mandated by the foreign company to act as contact point for supervisory authorities and data subjects. And for all issues related to processing for the purposes of ensuring compliance with this Regulation.

The designation of a representative by the company shall be without prejudice to legal actions which could be initiated against the company itself.

Contact us if you would like to discuss whether you need a representative.


Leave a Reply