This representative in the Union is the point of contact for all questions concerning the data protection of EU citizens and the contact for data protection supervisory authorities.
You might need a GDPR-Representative
If you are a controller or processor not established in the EU and process personal data of data subjects who are in the European Union, you must appoint a representative. This representative in the Union is the point of contact for all questions concerning the data protection of EU citizens and the contact for data protection supervisory authorities.
With Brexit approaching rapidly, this is of particular relevance to UK-based companies.
The General Data Protection Regulation (GDPR) is applicable irrespective of where a company is located and where the processing takes place as long as the processed data pertains to data subjects in the Union.
According to Art. 27 GDPR, a representative must be appointed in at least one EU country when the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, or the monitoring of their behaviour as far as their behaviour takes place within the Union.
Even the analysis of visitors of your website can be considered monitoring. If one of the above criteria is given, you need to appoint a representative, unless an exception applies. The obligation to designate a representative in the Union does not apply to processing which is occasional does not include, on a large scale, processing of special categories of data like racial or ethnic origin, political opinions, religious or philosophical beliefs or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
It is important to note that the controller or processor must comply with all these criteria described above; in order to be exempt from the obligation to appoint a representative. You also do not need a representative if you have an establishment within the EU.
We can help you assess whether the GDPR applies to you and whether you need a representative. If so, we can act as your representative.
Additionally, we can support you in becoming compliant, act as your external data protection officer and advise you on an ongoing basis.