EU-Representative GDPR

The applicability of European data protection law does not depend solely on whether a company is based within the European Union. Companies based outside the European Union, e.g. the USA, China, Canada, Israel, etc., must also comply with the European General Data Protection Regulation if they offer goods or services to data subjects within the EU or monitor their behavior within the EU. Then the General Data Protection Regulation (GDPR) applies to you and you need a EU-Representative GDPR .

Executive summary:

The European General Data Protection Regulation can also apply directly to companies based in a third country (so-called Targeting Criterion),
Companies with an establishment in a third country must appoint an GDPR EU representative in accordance with Art. 27 GDPR if they offer goods or services to EU citizens or monitor their behavior within the EU
The representative role of the EU representative under the GDPR is to serve as the direct point of contact for data subjects (EU citizens). Furthermore he is the addressee for the supervisory authorities and is authorized to receive applications, documents, requests for information and official instructions as an authorized recipient
The EU representative pursuant to Art. 27 GDPR also provides support in complying with other data protection obligations, e.g. register of processing activities, compliance with information obligations, etc.
In addition to avoiding the risk of fines, appointing a data protection representative promotes the visibility of compliance efforts in local markets

Arrange a free initial consultation now!

Do you need an EU Representative GDPR or do you have a special need for action in data protection?

Please feel free to arrange a non-binding and free initial meeting with us!

Contact form

Perfect for:



Private Companies



Start-Ups



Associations



Small and medium-sized enterprises



Multinational corporate groups

What is an EU-Representative GDPR?

Our EU-Representative GDPR pursuant to Art. 27 GDPR serves as a central point of contact for data subjects and supervisory authorities for all questions relating to the processing of personal data in order to provide them with a direct point of contact within the EU. An GDPR EU representative is a natural or legal person based in the EU who has been appointed by a non-European company. The GDPR EU representative service provider represents the company established in the third country (controller or processor) in relation to their respective obligations under the GDPR. The idea behind the appointment of an EU representative in accordance with Art. 27 GDPR is to improve the international enforcement of the GDPR.

What tasks does GDPR EU representative services include?

The EU-Representative GDPR pursuant to Art. 27 GDPR represents companies not based in the European Union. He answers all questions in connection with data processing by the non-European controller or processor. The EU representative is the direct point of contact for data subjects, is the addressee for the supervisory authorities and is authorized to receive applications, documents, requests for information and official instructions as an authorized recipient. In addition, the EU representative is responsible for the following tasks in accordance with Art. 27 GDPR:

Documentation of data breaches
Answering of data subject rights
Preparation of the Record of Processing Activities (Art. 30 (1) GDPR)
Documentation of processing activities as a Processor (Art. 30 para. 2 GDPR)
Making the ROPA available at the request of the authority (Art. 30 (4) GDPR)
Preparation of privacy statements (Art. 13 GDPR)
Correspondence and cooperation with the supervisory authority (Art 31 GDPR)

Whom can companies designate as GDPR EU representative?

Both a natural person and a legal person can be appointed as an GDPR EU representative in accordance with Art. 27 GDPR. This person must be established in one of the EU Member States. The GDPR does not stipulate any minimum professional qualifications for the EU representative. However, in view of the fact that the EU representative acts as a point of contact for supervisory authorities and data subjects, he or she should have sound and demonstrable expertise in the field of data protection law. In this way, the EU representative will be able to reliably fulfill its duties and respond to incoming requests in a timely and adequate manner. Finally, the receipt (and inadequate processing) of requests entails serious legal risks and potential liability cases for the represented company.

Externe Datenschutzbeauftragte vor Laptop

What form must the appointment of the GDPR EU representative take?

The GDPR EU representative pursuant to Art. 27 GDPR must be appointed expressly and in writing. There are no special requirements for the design of the appointment, for example with regard to the duration of the appointment, a possible revocation or termination. There should be a clear separation between the designation and the underlying contractual relationship. In practice, the function of the data protection representative can be exercised based on a service contract. In particular, this should regulate the responsibilities, tasks and powers incumbent on the EU representative in accordance with Art. 27 GDPR. Notification of the appointment to the supervisory authorities is not required. The GDPR EU representative should be named in the privacy policy and in the record of processing activities.

Which companies need an EU-Representative GDPR in accordance with Art. 27 GDPR?

Every company based in a third country requires an GDPR EU representative in accordance with Art. 27 GDPR if it:

does not have an establishment in the European Union and
Processes personal data of EU citizens; and
aligns its business activities to the EU market, in particular:

the offering of goods and services (see example 1)
observes the behavior of persons located in the EU (see example 2)

Website for E-commerce-Alphatech-consulting

Are there exceptions to the obligation to appoint an EU-Representative GDPR according to Art. 27 GDPR?

Not every non-European company is obliged to appoint an EU representative in accordance with Art. 27 GDPR. This is because the GDPR provides for some exceptions. Accordingly, the appointment of an EU representative is not required if the data processing

only occasionally,
not sensitive data within the meaning of Art. 9 para. 1 GDPR (e.g. information on racial or ethnic origin, health data or genetic data),
does not include a large amount of sensitive data on criminal convictions and offenses within the meaning of Art. 10 GDPR and
is unlikely to result in a risk to the rights and freedoms of data subjects, taking into account the nature, circumstances, scope and purposes of the processing.
It is an authority or public body

Every non-European company must assess its data processing operations taking into account the specific circumstances of the individual case. When examining the Targeting Criterion -related indicators with regard to a Union-related behavioral observation or a Union-related product offering, it is worth taking a look at the European Data Protection Board’s guideline on the territorial scope of application.

Targeting Criterion fulfilled: What data protection obligations arise for my company?

If Art. 3 (2) results in the application of the GDPR, the company established in the third country (controller or processor) must appoint a representative in the Union in writing in accordance with Art. 27 GDPR. In addition, the non-European company (together with its EU representative) must fulfill the following data pzrotection obligations:

Creation of a Records of Processing Activities:

All data protection-relevant business processes relating to the EU market must be documented and updated on an ongoing basis (Art. 30 (1) and (2) GDPR).

Integrate privacy notices:

The data subjects located in the EU must be informed of the forthcoming data processing by means of a data protection declaration (Art. 13 GDPR).

Implement technical and organizational measures (TOM):

The protection of personal data must be ensured with the help of security measures. Depending on the degree of digitization and the design of the processes, conceivable measures include Firewalls, end device encryption, password protection, multi-factor authentication, double opt-in procedure, etc.

Document consents:

Declarations of consent must meet the requirements of data protection law. The consents granted should be documented accordingly in the system in order to meet the obligation to provide evidence.

Manage processors:

If external service providers are commissioned to process personal data for the market location-related processes, a Data processing agreement must be concluded.

Difference between the Data Protection Officer and an GDPR EU Representative

An EU-Representative GDPR is not to be equated with the data protection officer within the meaning of Art. 37 GDPR. Both have different tasks and duties: A data protection officer advises the company on data protection issues, is not bound by instructions and is intended to promote the compliance culture within the controller. The EU representative is merely a point of contact who is subject to the mandate and instructions of the controller. He is available for inquiries and complaints and can document processing activities and order processing.

What penalties apply if no EU representative has been appointed in accordance with Art. 27 GDPR?

The obligation to appoint a representative within the EU is punishable under the GDPR – in deviation from the provisions of the GDPR. A breach of the designation obligation under Art. 27 can be sanctioned with a fine of up to EUR 10,000,000 or, in the case of a company, up to 2% of the total annual turnover generated by the company worldwide in the previous year, whichever is higher, in accordance with Art. 83 (4) (a).

FAQ EU-Representative GDPR:

Can the EU GDPR also apply to companies based outside the EU?

Yes, the General Data Protection Regulation (GDPR) extends the territorial scope of European data protection law to third countries. Due to the so-called market location principle, companies without a branch in the EU must also comply with the provisions of the GDPR.

Why an EU representative according to Art. 27 GDPR?

The EU representative is the direct point of contact for data subjects and the data protection supervisory authorities. The data protection representative provides support in responding to data protection requests and official instructions in a timely and correct manner.

When is an EU representative required according to Art. 27 GDPR?

Companies without an establishment in the EU must appoint an EU representative in accordance with Art. 27 GDPR if the GDPR applies to them based on the so-called Targeting Criterion. This is the case if the non-European company offers its goods and services on the European market or monitors the behavior of persons located in the EU.

How many EU representatives according to Art. 27 GDPR does my company need?

In principle, only one EU representative is required, even if the non-European company offers its goods and services in several EU states.

What selection criteria should apply to the representative?

A GDPR-compliant representative must be based within the EU and must be available for inquiries from supervisory authorities or data subjects. It is also advisable to ensure that the representative has appropriate qualifications in the data protection environment, as an incorrect assessment of the urgency or importance of a request can quickly lead to violations of the GDPR and thus to high fines.

atc-alpha-tech-consulting-berlin-dsgvo-daten-schutz-beauftragter-beratung-it-informations-sicherheit-gdpr-schulung-bdsg-konzern-beschaeftigte-av-auftragsverarbeitungsvertrag-erklaerung-icon-w

Contact us!

We will answer your questions about data protection and IT security.

Arrange a non-binindg Call

Your contact person

Yanick Röhricht LL.M.

Certified Data Protection Officer, Data Protection Auditor (TÜV), Certified Information Security Officer (DGI)

EU-Representative GDPR