One of the lesser-known but still important obligations that non-EU-based organisations face under the EU General Data Protection Regulation (GDPR) is found in Article 27, which is aptly titled ‘Representatives of controllers or processors not established in the Union.’ Organisations that process EU residents’ data, but that are established outside of the EU, must formally appoint a representative in the European Union to represent them on data protection matters.

Checklist for EU Rep services

• Are you a non-EU based company?
• Do you use data relating to EU residents such as email addresses, country location data, or IP addresses?
• Do you use data relating to EU residents for either for the sale of goods or supply of services – even if these services or goods are free?
• Do you process personal data relating to EU residents for marketing or for targeting of individuals for behavioural advertising, if that behaviour takes place in the EU?

If you answered YES to any of these questions it is highly likely that GDPR applies to your business. The GDPR carries a number of consequences over and above the need to have an appointed Data Protection Representative in the EU.

What to do if the GDPR applies to your non-EU company

• You have to comply with the GDPR – which includes the obligation to designate a GDPR representative in the EU
• Article 27 of the General Data Protection Regulation requires that you appoint a representative in the EU as your point of contact for clients, customers and authorities regarding privacy matters. If you have clients and customers in the EU, and if you want to comply with the law, then this is not optional.
• You have to publish the EU representative’s contact details on your website together with your terms and conditions and/or privacy policy