Everything you need to know
about data protection
Who needs an EU representative?
The duty to select an EU representative under the GDPR applies to every company
- not established in at least one EU Member State, or
- processes personal information that is subject to the GPDR.
Companies that meet the following requirements are not subject to these regulations:
- Only occasionally handle personal data of individuals in the EU
- No handling of sensitive data such as medical records or criminal charges.
- Use customer information only to fulfil a single order, with no intention of retaining it for marketing purposes.
Since these criteria must be fulfilled altogether, the allowance for the exception is rather narrow. Determining whether such exemption is applicable necessitates legal review on a case-by-case basis.
What is the role of an EU representative?
The primary roles of an EU representative are:
- to serve as a nearby contact for any inquiries about data protection concerns, especially for customers and supervisory authorities responsible for data protection,
- to keep records of the company's data processing activities in the EU in accordance with Article 30 of the GDPR,
- to cooperate with supervisory authorities in case of an investigation.
An EU representative will relieve you from these responsibilities and stay up-to-date with the latest developments, allowing you to focus on your main business.
What happens if you don't appoint a representative in the EU?
If your company must appoint an EU representative but does not, EU data protection supervisory authorities may impose penalties of up to £10 million or 2% of your company's worldwide annual turnover, depending on which is greater. These fines can also be enforced against businesses located in non-EU countries.
Another key consideration is that, as data protection awareness has risen significantly throughout the EU, your B2B or B2C customers based in the EU are verifying your compliance with GDPR regulations. Negative publicity from non-compliance incidents may even have more severe consequences than the actual financial penalties.
What are the effects of Brexit on the need for a GDPR representative?
Since Brexit, the UK has its own version of the GDPR - the Data Protection Act 2018, which mirrors the EU GDPR in terms of the requirement to appoint a representative.
Considering the GDPR representation, there are three scenarios:
- Companies that are neither based in the EU nor in the UK, but trade with both, must appoint both an EU representative and a separate UK representative.
- EU-based businesses trading with the UK need a UK representative.
- UK-based businesses trading with the EU require an EU representative.
Regardless of which category your business falls under, EU-REP.Global is prepared to meet all regulatory requirements.
Do we fall under the EU GDPR?
The EU General Data Protection Regulation (GDPR) covers a wide range of personal data. It applies to all personal data, including name, contact information, payment information, IP address, device fingerprints, location, and behavioural data.
It affects not only companies based in EU countries, but also those outside the EU that collect, receive, store, or use personal data from EU residents. This is relevant if the company offers goods or services (free or for a fee) to EU residents, or monitors their behavior.
A company's activities must be directed at the EU market in order to be subject to the GDPR. Criteria include the following activities:
- Planning ad campaigns targeting EU consumers.
- Offering international services, like tourism.
- Using EU website domains like .de, .fr, .es, or .eu.
- Accepting payments in Euro or other EU currencies.
- Mentioning the EU in context of a product or service.
- Shipping goods to EU countries.
- Profiling for marketing, including behavioural advertising and geo-data processing.
- Using online tracking, e.g., pixels, cookies, or device fingerprinting.
- Personalized digital health and nutrition analysis.
- Surveys targeting consumer behaviour.
- Video recordings.
The company may be subject to GDPR even if only one of the above applies. This includes service providers who don't use personal data for their own purposes, but act on behalf of others (e.g., cloud services, SaaS providers).
What are the benefits of appointing an EU Representative?
Appointing an EU representative ensures compliance for data processing companies, and provides a central point for reporting GDPR security incidents. For example, if vulnerabilities result in the unauthorized exposure of user data, companies must report these data breaches to European data protection authorities. With 44 different national authorities, reporting breaches can be time-consuming and costly, especially with a 72-hour reporting window. A trusted EU representative can help navigate this complicated reporting process.