GDPR Representatives in the EU
Companies based outside the EU which specifically aim to process data of EU citizens must appoint a Representative within the EU in accordance with Article 27 GDPR (“GDPR Representative”). The GDPR Representative serves as a contact person for supervisory authorities and data subjects. Enquiries addressed to the company which the representative receives will be forwarded by the representative to the relevant contact person in the company. The Representative must be officially appointed so that the company complies with the formal requirements. The GDPR Representative might be a company which is part of the same group and located in the EU, so it is not mandatory to use an external Provider. Especially if international companies do not have a subsidiary or sister company located in the EU, it will be necessary to use an external Service Provider.
We are happy to act as a GDPR Representative for groups or companies that are not based in the EU or do not have the capacity to act in such manner. As a Representative under Article 27 we provide the following services:
- contact person for supervisory authorities and interested parties with forwarding of enquiries
- forwarding of letters, enquiries, letters of and possible fines to the company
- presentation of the appointment of Representatives to the outside world (on request)
- give first information on questions of GDPR and local data protection law (on request).
News due to Brexit and the related EU-UK Agreement:
Additionally, we would like to give further information on UK companies, due to the final Brexit Agreement now being in place and several inquiries that already reached us on this topic. Now it is final that the UK will become a Third Country, beginning May 2021 (or July 2021, in case the transition period is amended to July 2021). The UK aims to achieve an Adequacy Decision by the EU Commission to ensure that data flows might be conducted as prior to Brexit. But, despite the Agreement and a possible Adequacy Decision: New formal requirements (e.g., information of Data Subjects on data transfers to UK) will be necessary for EU and UK companies.
The new formal requirements due to the GDPR include that UK companies will need to appoint a GDPR Representative after the transition period! We are in close contact with UK colleagues already to prepare these compliance requirements and are happy to assist you with your questions. Since it will be mandatory from May or July 2021, UK companies should now prepare to appoint a GDPR Representative.