Does my company need an EU-Representative according to Art. 27 GDPR?
If your company has customers in the EU, you need to deal with the EU Data Protection Regulation (DSGVO). If you don’t have an office in the EU, you probably need an EU representative.
Why? Because Otherwise you will certainly lose customers and possibly even face fines.
The EU data protection basic regulation (DSGVO) prescribes new rules for data protection since 25 May 2018. These include the obligation to appoint an EU representative for transactions within the EU – regardless of your location.
1. Does my company need an EU-Representative?
- Do you offer goods or services to persons established in the European Union?
- Do you monitor the behaviour of persons in the EU?
If one or both of these questions are answered in the affirmative, the GDPR requires you to appoint a representative – even if you do not have a registered office in the EU.
If your processing of personal data is carried out on an occasional basis and is unlikely to jeopardise the rights and freedoms of natural persons. However, the scope of this exemption is small, especially for online businesses, as most of them rely on the processing of personal data.
2. What are the duties of the GDPR representative?
The representative is instructed by the person responsible or the processor to act in addition to or on his behalf, in particular for supervisory authorities and persons concerned, as a contact point for all questions relating to processing in order to ensure compliance with this Ordinance. The representative is an authorised representative for the receipt of legal documents (see, inter alia, § 44 BDSG).
3. Who can I appoint as my GDPR representative?
The designated representative must be established in one of the EU Member States where the processing takes place. He must be a natural or legal person designated in writing by the controller or processor in accordance with Article 27″. A legal person is a natural, legal or other person having legal rights and obligations. The representative does not have to be a lawyer or a data protector.
However, since the representative is obliged to communicate with authorities and data subjects on a variety of issues, it would be beneficial for the representative to have a good knowledge of the GDPR rules. In addition, your GDPR representative should ideally have a good understanding of your company’s data services – what and how your company uses data. The GDPR representative ideally has professional experience working with regulatory and compliance authorities.
4. How do the roles of a representative and data protection officer compare?
A representative under Art. 27 and a data protection officer under Art. 37 have different roles: A data protection officer acts similar to a data protection authority within a company and is intended to support a compliance culture. The designated representative acts more as an agent for the company who is in charge of the communication with the authorities on the one hand and consumers on the other hand. Companies without an establishment in the EU are required under Art. 27 to designate a representative in the EU so data protection authorities can reach and sanction them easier and with less jurisdictional complications.
5. How do I appoint the GDPR representative?
You must authorise the representative in writing. The power of attorney should include the tasks of the representative. You do not currently have to inform your supervisory authority.
However, you must name the representative in your information to the data subject (typically your privacy statement), (Art. 13 and 14 DSGVO) and in your records of processing activities (Art. 30 GDPR).
6. How many representatives do I need?
In principle, only one GDPR representative is required for the EU, even if your company has branches in several EU states.
However, depending on the size of your company and the amount of data processing involved, it may make sense to appoint more than one representative. Different languages and cultural and legal particularities in each EU Member State can create additional difficulties.
7. What happens if I do not appoint a representative although I need one?
Failure to comply with the regulation can result in high fines (Art. 83 GDPR) of up to 10 million euros. It can also be regarded as unfair competition (this is disputed) if you do not comply with the regulations, which can lead to expensive lawsuits in Germany or other EU countries.
8. What can LHR do for you?
LHR represents companies that are not based in the EU – especially US companies – in accordance with Art. 27 GDPR.
There are 4 good reasons in favour of LHR:
LHR’s lawyers are not only linguistically the best choice for a DSGVO representative due to their international orientation (especially in relation to the USA), but also due to their many years of experience in data protection and IP law.
Partner Attorney Arno Lampmann is in his office on the American West Coast in Vancouver, WA, USA. In contrast to other European providers, any time difference does not play a role in communication with US companies. Attorney Lampmann serves thereby as reliable and fast information mediator between American enterprises and the lawyer’s office in Germany.
We have been supporting companies and corporations under public law in the implementation of the DSGVO since its inception.
Partner Birgit Rosenbaum has specialised, for example, in assisting cities and municipalities, in particular, in the implementation of the DSGVO regulations on their websites and in their daily practical implementation.
We answer any number of data protection enquiries within the scope of our task as a DSGVO representative at a fixed monthly price. Our costs are determined individually according to the size and number of employees of your company. Contact us and we will be happy to inform you.
Contact us directly in the USA: +1 541 255 9577