Which companies need an EU representative?

Companies established outside the EU are required to appoint an EU representative according to Art 27 GDPR in the EU if they:

  • offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or

  • monitor their behaviour (e.g. cookie profiling).

According to the Guideline 3/2018 of the European Data Protection Board (EDPB) on the territorial scope of GDPR this applies on controllers and processors as well. For processors not established in the Union the applicability of GDPR depends on what the “processing activities” are “related to”. If the data processing conducted for the controller is "related" to the offering of goods and services or the monitoring of behaviour, the GDPR applies to the processor in addition to the controller. 

Case: A hotel outside the EU enters into contracts with booking platforms available in different European languages and accepting payments in EUR. By such contracts the hotel reaches out to data subjects located in the EU. The hotel is controler and its suppliers may be processor. The hotel's provider for the booking system and the payment service provider for example are also involved in the processing activities related to European data subjects. Besides the hotel, these processors are therefore also within the scope of GDPR and need to appoint a representative.

Are there any exemptions from the obligation to appoint an EU representative?

When does my company offer goods and services to individuals in the EU?

When does my company monitor the behaviour of EU data subjects?

What fine may be imposed for non-compliance?

Where should a representative be located?

What are the responsibilities of the representative?

What is GDPR-Rep.eu's approach to the representation?

What are the services provided by GDPR-Rep.eu?

How does GDPR-Rep.eu secure and protect sensitive data?

What is the process of appointing GDPR-Rep.eu as EU representative?

We are a group of companies. Do you offer special options for groups?

What are the payment options?

What happens to incoming requests?

Does GDPR-Rep.eu offer help with answering requests?

Is GDPR-Rep.eu one of my company's processors and where can I find the data processing agreement?

How can more than one business be managed?