The General Data Protection Regulation applies to all EU member states. Companies offering goods or services within the Union or observing the behaviour of those concerned are also included. It is independent of whether the persons are liable to pay (Art. 3 para. 2 EU GDPR). Thus, the General Data Protection Regulation also affects companies not established in the European Union.

Representatives of controllers or processors not established in the Union

Article 27 of the General Data Protection Regulation explains how companies from non-EU countries appoint an EU representative for data protection. The EU Representative is the point of contact for the supervisory authorities and must be expressly appointed and instructed in writing. The representative must be established in one of the Member States in which the data processing is conducted.

The obligation to appoint a representative shall not apply, unless, for example, special categories of personal data are processed on a larger scale. Additional exceptions are mentioned in Article 27 (2).

Tasks of the Representative

The legal person appointed by a company has the obligations arising from the General Data Protection Regulation as the company's data controller or processor. Due to the responsibility of the companies, a person concerned or a supervisory authority can turn to the responsible person or contract processor in the non-EU country as well as to the EU Representative.

ePrivacy supports you as an representative in achieving a high level of data protection as a competitive advantage and so that you can implement your planned business models as far as possible. We are happy to provide you with long-term advice on all data protection issues.

Do you have questions or recommendations for us?

We are glad to receive your comments.