Does a U.S. Company Need a GDPR European Representative?
A U.S. company collecting, processing, or storing data originating in the EU may need a GDPR European Representative if it doesn´t have a physical EU presence.
Most U.S. companies that collect, process, or store data originating in the European Union are aware of the need to comply with the EU´s General Data Protection Regulation (GDPR). However, companies that do not have a physical presence in the EU (i.e. a corporate office or subsidiary) might not be aware they may also be required to appoint a GDPR European Representative.
This requirement is covered by Article 27 of GDPR, which states “Where Article 3(2) applies, the controller or processor shall designate in writing a representative in the [European] Union”. Because Article 3(2) does not apply to every scenario, and because exceptions to Article 27 exist, it can be complicated to work out whether a GDPR European Representative is required or not.
What Article 3(2) Says and Exceptions to Article 27
Article 3(2) says – “This Regulation [GDPR] applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or
(b) the monitoring of their behavior as far as their behavior takes place in the Union.”
This clause covers most uses of EU data sets, but there are exceptions. For example, if a U.S. company was collecting or processing data relating to EU citizen´s travel habits outside of Europe for research purposes, the company would not be subject to GDPR regulations – provided any non-anonymized data was not later sold to a travel company for marketing purposes.
With regards to the requirement to appoint a GDPR European Representative, Article 27 does not apply to public authorities or “processing which is occasional and does not include on a large scale processing of special categories of data […] or processing of personal data relating to criminal convictions […], and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing”.
To further complicate the matter, GDPR does not define what constitutes “large scale processing”. Some individual national data protection authorities have produced their own definitions, and these can range from five thousand EU subjects to five percent of the member state´s population – which in the case of Germany would amount to more than four million data subjects. For this reason it is recommended U.S. companies seek professional legal advice or appoint a European GDPR Representative voluntarily.
The Benefits of Appointing a GDPR European Representative Voluntarily
The primary benefit of appointing a GDPR European Representative voluntarily is that a non-EU organization has a point of contact through which EU citizens can exercise their GDPR rights – i.e. the right to be forgotten. This can help ensure Subject Access Requests are expedited and resolved within the one month allowed by the regulation.
Voluntarily appointing a GDPR European Representative also gives national data protection authorities a point of contact through which non-EU organizations can stay up-to-date with the latest developments or interpretations of GDPR. The representative should be given the authority to accept legal documents on the organization´s behalf, which can then be used to ensure the organization is collecting, processing, or storing data in compliance with GDPR.