Profile information Account settings
Logout
Help Contact us
Sign up Log in
Help Contact us

EU representatives

When organisations handle personal data, they will need to comply with the relevant data protection laws, including the UK General Data Protection Regulations (GDPR). In certain situations, this will involve appointing an EU representative under the EU General Data Protection Regulations (EU GDPR). Read this guide to find out more.

An EU representative (also known as a ‘data representative’) is a local contact for data subjects (ie individuals to whom personal data relates) and supervisory authorities (such as the Information Commissioner’s Office in the UK). The representative is the party that should be contacted about any issues relating to the processing (eg obtaining or recording) of personal data (eg names and addresses). In other words, the EU representative acts as the organisation’s public face in the EU and European Economic Area (EEA).

Organisations based in the UK, who do not have a branch, office or other establishment in any EU or EEA state, may need to appoint an EU representative under the EU GDPR. This is the case if an organisation:

  • offers goods or services to individuals in the EEA

  • monitors the behaviour of individuals in the EEA

The representative needs to be established in the EU or EEA state in which some of the data subjects are located.

As the organisation does not have a base in the EU or EEA, an EU representative needs to be appointed to provide data subjects (and supervisory authorities) with a point of contact regarding data protection issues and enquiries under the EU GDPR. 

Who doesn’t need to appoint an EU representative?

An EU representative does not need to be appointed:

Essentially this means that organisations without an EEA-base, that regularly serve EEA customers, require a representative. Small organisations that only serve EEA customers occasionally (eg a customer every couple of months) do not need to appoint a representative provided the data they process doesn’t pose a risk to the rights and freedoms of data subjects. However, to ensure compliance with data protection laws an EU representative should be appointed by any organisation that:

  • processes special category or criminal offence data

  • has many EEA customers

  • intends to expand its business

If you are unsure if you need to appoint an EU representative, Ask a lawyer.

A representative can be an individual or an organisation (eg a company, law firm or consultancy organisation) established in the EEA

The representative must be able to represent the UK organisation regarding its obligations under the EU GDPR. This means that the UK organisation needs to authorise the representative in writing to: 

  • act on its behalf regarding EU GDPR compliance (eg by keeping records of data processing activities and monitoring how the EU GDPR applies to the organisation)

  • deal with any supervisory authorities in relation to EU GDPR compliance (eg by making records available)

  • deal with any data subjects in relation to EU GDPR compliance (eg by responding to data protection requests and answering data-related questions) 

In practice, an EU representative may be appointed under a Services agreement.

UK organisations should provide details (eg name and email address) of their EU representative to any EEA-based data subjects. This can be done by including such details in a privacy notice or in the information provided when personal data is first collected.

Organisations must ensure that this information is clear and easily accessible to both data subjects and supervisory authorities. This can be achieved by publishing the information on the organisation’s website.

EU representatives and DPOs are different parties that perform different roles within an organisation. A DPO is someone within an organisation who is responsible for ensuring data protection compliance. It is an active in-house role responsible for ensuring compliance with the GDPR and the organisation’s privacy efforts. An EU representative is an external role, acting as a point of contact for EEA data subjects and supervisory authorities. For more information on DPOs, read Data protection.

We use cookies to provide the best experience