An EU representative (also known as a ‘data representative’) is a local contact for data subjects (ie individuals to whom personal data relates) and supervisory authorities (such as the Information Commissioner’s Office in the UK). The representative is the party that should be contacted about any issues relating to the processing (eg obtaining or recording) of personal data (eg names and addresses). In other words, the EU representative acts as the organisation’s public face in the EU and European Economic Area (EEA).
When organisations handle personal data, they will need to comply with the relevant data protection laws, including the UK General Data Protection Regulations (GDPR). In certain situations, this will involve appointing an EU representative under the EU General Data Protection Regulations (EU GDPR). Read this guide to find out more.
What is an EU representative?
Who needs to appoint an EU representative?
Organisations based in the UK, who do not have a branch, office or other establishment in any EU or EEA state, may need to appoint an EU representative under the EU GDPR. This is the case if an organisation:
offers goods or services to individuals in the EEA
monitors the behaviour of individuals in the EEA
The representative needs to be established in the EU or EEA state in which some of the data subjects are located.
As the organisation does not have a base in the EU or EEA, an EU representative needs to be appointed to provide data subjects (and supervisory authorities) with a point of contact regarding data protection issues and enquiries under the EU GDPR.
Who doesn’t need to appoint an EU representative?
An EU representative does not need to be appointed:
by public authorities
if an organisation only occasionally processes personal data, which is of low risk to data protection rights and does not involve the large-scale use of special category personal data (eg information about racial origin or health) or criminal offence data (ie information about criminal convictions)
Essentially this means that organisations without an EEA-base, that regularly serve EEA customers, require a representative. Small organisations that only serve EEA customers occasionally (eg a customer every couple of months) do not need to appoint a representative provided the data they process doesn’t pose a risk to the rights and freedoms of data subjects. However, to ensure compliance with data protection laws an EU representative should be appointed by any organisation that:
processes special category or criminal offence data
has many EEA customers
intends to expand its business
If you are unsure if you need to appoint an EU representative, Ask a lawyer.
Who can act as an EU representative?
A representative can be an individual or an organisation (eg a company, law firm or consultancy organisation) established in the EEA.
The representative must be able to represent the UK organisation regarding its obligations under the EU GDPR. This means that the UK organisation needs to authorise the representative in writing to:
act on its behalf regarding EU GDPR compliance (eg by keeping records of data processing activities and monitoring how the EU GDPR applies to the organisation)
deal with any supervisory authorities in relation to EU GDPR compliance (eg by making records available)
deal with any data subjects in relation to EU GDPR compliance (eg by responding to data protection requests and answering data-related questions)
In practice, an EU representative may be appointed under a Services agreement.
What information needs to be made available?
UK organisations should provide details (eg name and email address) of their EU representative to any EEA-based data subjects. This can be done by including such details in a privacy notice or in the information provided when personal data is first collected.
Organisations must ensure that this information is clear and easily accessible to both data subjects and supervisory authorities. This can be achieved by publishing the information on the organisation’s website.
What is the difference between an EU representative and a data protection officer (DPO)?
EU representatives and DPOs are different parties that perform different roles within an organisation. A DPO is someone within an organisation who is responsible for ensuring data protection compliance. It is an active in-house role responsible for ensuring compliance with the GDPR and the organisation’s privacy efforts. An EU representative is an external role, acting as a point of contact for EEA data subjects and supervisory authorities. For more information on DPOs, read Data protection officers (DPOs).