5 things you need to know about the obligation to appoint a GDPR representative

Author info

Did you know the GDPR can be relevant to your company even if you do not have an establishment in the EU? In this blog you will read 5 things you need to know about the GDPR representative, which you may have to appoint. 

1. What is a GDPR representative?

The GDPR representative is a natural or legal person...

  • established in the EEA (meaning the EU Member States plus Liechtenstein, Iceland and Norway),
  • designated by a company established outside the EEA,
  • to represent that company with respect to its obligations under the GDPR.

2. Does your company need to appoint a GDPR representative ?

If your company is established outside the EEA, but collects personal data from individuals who are in the EEA by offering them products or services or by monitoring their behaviour, then your company will act as a controller or processor under the GDPR and will have to appoint a representative on EEA territory. 

There are some very limited and restrictively interpreted exceptions to this obligation, for example if the processing is really occasional. 

2.1. When is your company offering goods or services?

Your company is offering goods or services to people in the EEA as soon as the intention to do so is there, for example:. 

  • You designate the EEA or at least one Member State by name when offering the good or service;
  • Your marketing and advertisement campaigns are directed at a European audience; 
  • You invest in SEO services to facilitate access to your site by consumers in the EEA; ;
  • The nature of your activity is international, such as certain tourist activities;
  • You mention dedicated addresses or phone numbers to be reached from the EEA;
  • You use an EEA related top-level domain name t such as “.de”, or the “.eu”;
  • You describe travel instructions from one or more other Member States to the place where the service is provided;
  • You mention an international clientele composed of customers domiciled in various Member States, in particular by presentation of accounts written by such customers;
  • You use a language or a currency other than that generally used in your country, especially a language or currency of one or more Member states;
  • You deliver goods in Member States.

2.2. When is your company monitoring behaviour?

Your company is monitoring behaviour of data subjects who are in the EEA if data subjects are tracked on the internet or tracked through other types of network or technology involving personal data processing.

Such tracking or monitoring activities may include:

  • Behavioural advertisements;
  • Geo-localisation activities, in particular for marketing purposes;
  • Online tracking through the use of tracking technologies (cookies, web beacons, device fingerprinting, etc.);
  • Personalized diet and health analytics services online;
  • CCTV;
  • Market surveys and other behavioural studies based on individual profiles;
  • Monitoring or regular reporting on an individual’s health status.

3. What are the tasks of a GDPR representative ?

You must designate your GDPR representative by way of a written mandate clearly and transparently detailing the tasks, which should contain, at least,

  • to act on behalf of the controller or the processor,
  • to keep a record of processing activities on behalf of the organization he or she represents and to produce it on request to a supervisory authority,
  • to provide information to a supervisory authority in the context of an investigation.

4. Who can act as GDPR representative ?

Any natural or legal person established in one of the Member States where goods or services are offered or behavior is monitored may act as GDPR representative on behalf of the controller or processor which is not established in the EEA. 

5. What if your company doesn’t appoint a GDPR representative ?

If your company does not appoint a GDPR representative if obliged to do so under the GDPR, the supervisory authority may impose an administrative fine up to 10 million EUR or up to 2% of the total worldwide annual turnover, whichever is higher.

Your company’s liability for violations of obligations under the GDPR, such as answering data subject requests or concluding data processing agreements, is not affected by designating a GDPR representative.

Timelex can act as your GDPR representative. Please contact us for more information.