Liability risk for missing GDPR Representative
Quick read:
For companies without a subsidiary in the EU, data protection is no longer a side issue. Anyone who offers goods or services to EU citizens must appoint an EU Representative pursuant to Art. 27 GDPR. The European (data protection) supervisory authorities monitor compliance with the appointment requirement and impose fines, some of which are substantial, if the Representative is missing or has not been correctly appointed. International companies must therefore take particular care: a violation is not only quickly discovered and leads to financial consequences, but also increases the risk of extensive follow-up audits by the supervisory authorities.
1. Obligation to appoint a representative pursuant to Art. 27 GDPR
With the GDPR, European legislators are pursuing a clear goal: anyone who works with data belonging to European citizens must also be accessible in Europe. For this reason, Art. 27 GDPR requires companies without a subsidiary in the EU to appoint a Representative based in the EU. This obligation applies whenever a company specifically targets EU citizens with its own products or services. Companies that analyze the behavior of individuals in the EU, for example through cookies, tracking, or profiling, are also generally affected.
The Representative takes on a central role: they are the official point of contact for supervisory authorities and affected individuals within the EU. They keep data protection-related documents ready, assist with inquiries, and thus ensure that the company's data protection compliance runs smoothly.
2. Easy verifiability for supervisory authorities
European (data protection) supervisory authorities actively monitor whether companies are complying with their obligation to appoint an EU representative. The supervisory authorities benefit from the fact that it is relatively simple for them to check whether a company is complying with its appointment obligation. With a quick internet search, the supervisory authorities can usually easily determine whether a company offers goods and/or services (also) on the European market and whether the company is doing so without its own European subsidiary. If the Representative is not mentioned in the company's privacy policy, this is a strong indication that the representative does not exist. Even if a Representative has been named, there is still a violation of the naming obligation under Art. 13(1)(a) GDPR.
3. Range of fines and administrative fine practice
The fact that a violation of the obligation to order pursuant to Art. 27 GDPR is not a “trivial offense” is demonstrated by the range of fines provided for in Art. 83 GDPR. According to this, a violation of the obligation to appoint a Representative under Art. 27 GDPR is punishable by a fine of up to €10 million or 2% of the company's global annual turnover (whichever is higher).
Much to the chagrin of companies, fines for violations of Art. 27 GDPR are not merely theoretical. For example, the Dutch data protection supervisory authority imposed a fine of €525,000 on the company locatefamily.com for failing to appoint an EU Representative. The Italian supervisory authority imposed a fine of €600,000 on Clearview AI for the same reason.
4. Trigger for further supervisory controls
In addition, companies that ignore the obligation to designate a Representative also open the door to more comprehensive (follow-up) audits and measures by the supervisory authorities. The legal logic behind this is clear: the EU Representative is supposed to ensure that data subjects can effectively assert their rights (e.g., to access, rectify, or erase their data) against the controller or processor. If no such contact person is appointed, this is not possible.
A supervisory authority could take the failure to appoint a Representative as an indication that the company in question is also negligent in other areas of data protection. From the authorities' point of view, it is reasonable to assume that a company that is already negligent in such a fundamental obligation may also disregard other GDPR requirements. In the worst case scenario for the company, failure to appoint a Representative could result in a comprehensive audit of the company's entire data processing concept, or at least large parts of it.
5. What must companies do?
- Check whether your company is subject to the Representative requirement based on the criteria listed above.
- If this is the case, appoint a Representative for your company who is based in the EU.
- Include the EU Representative as a contact person in your company's privacy policy.
- Ensure that the EU Representative has access to all necessary internal business information to be able to respond to inquiries from authorities or data subjects.