Profile information Member settings
Logout
Sign up Sign in

Make your GDPR documents

Get started

What is an EU representative?

An EU representative (also known as a ‘data representative’) is a local contact for data subjects (ie individuals to whom personal data relates) and supervisory authorities (eg the Information Commissioner’s Office (ICO) in the UK, the Commission Nationale de l’Information et des Libertés (CNIL) in France and the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) in Germany). The data representative is the party that should be contacted about any issues relating to the processing of personal data. In other words, an EU representative acts as an organisation’s public face in the EU and European Economic Area (EEA).

Note that all EU countries are also EEA countries. As a result, any references to the ‘EEA’ also apply to ‘EU’, unless stated otherwise.

Who needs to appoint an EU representative?

Organisations based in the UK who do not have a branch, office or other establishment in any EU or EEA country may need to appoint an EU representative under the EU GDPR. This is the case if an organisation:

  • offers goods or services to individuals in the EEA

  • monitors the behaviour of individuals in the EEA

The representative needs to be established in an EU or EEA country in which some of the data subjects are located.

An EU representative needs to be appointed to provide data subjects and supervisory authorities with a point of contact for data protection issues and enquiries under the EU GDPR because the organisation does not have a base in the EU or EEA. 

Who does not need to appoint an EU representative?

An EU representative does not need to be appointed:

Essentially this means that organisations without a base in the EEA, that regularly serve EEA customers, require a representative. Small organisations that only serve EEA customers occasionally (eg one customer every couple of months) do not need to appoint a representative, provided the data they process doesn’t pose a moderate or high risk to the rights and freedoms of data subjects. However, to ensure compliance with data protection laws, an EU representative should be appointed by any organisation that:

  • processes special category or criminal offence data

  • has many EEA customers, and/or

  • intends to expand its business

If you are unsure if you need to appoint an EU representative, Ask a lawyer.

Who can act as an EU representative?

A representative can be an individual or an organisation (eg a company, law firm or consultancy organisation) established in the EEA

The representative must be able to represent the UK organisation regarding its obligations under the EU GDPR. This means that the UK organisation needs to authorise the representative in writing to: 

  • act on its behalf regarding EU GDPR compliance (eg by keeping records of data processing activities and monitoring how the EU GDPR applies to the organisation)

  • deal with any supervisory authorities in relation to EU GDPR compliance (eg by making records available)

  • deal with any data subjects in relation to EU GDPR compliance (eg by responding to data protection requests and answering data-related questions) 

In practice, an EU representative may be appointed under a Services agreement.

What information needs to be made available?

UK organisations should provide details (eg name and email address) of their EU representative to any EEA-based data subjects. This can be done by including such details in a privacy notice or in the information provided when personal data is first collected.

Organisations must ensure that this information is clear and easily accessible to both data subjects and supervisory authorities. This can be achieved by publishing the information on the organisation’s website.

What is the difference between an EU representative and a data protection officer?

EU representatives and data protection officers (DPOs) are different parties that perform different roles within an organisation. A DPO is someone within an organisation who is responsible for ensuring data protection compliance. It is an active in-house role responsible for ensuring compliance with the GDPR and the organisation’s privacy efforts. An EU representative is an external role, acting as a point of contact for EEA data subjects and supervisory authorities. For more information on DPOs, read Data protection officers (DPOs).

 

For more information on EU representatives, see the ICO’s guidance on European representatives and the European Data Protection Board’s (EDPB’s) guidance on the territorial scope of the EU GDPR.

If you have any questions or concerns or require assistance, Ask a lawyer. Consider using our GDPR compliance service to ensure your business complies with all relevant data protection laws.


Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer On Call Solicitors

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a legal pro**

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

**Subject to terms and conditions.