Representative in the European Union (General Data Protection Regulation)

According to Art. 27 of the General Data Protection Regulation , controllers or processors not established in the European Union are obliged to appoint a representative in the European Union (including representatives of controllers or processors not established in the Union or Article 27 representatives ) if they process personal data of persons resident in the EU.

purpose

The purpose of the obligation to appoint a representative in the European Union is that the supervisory authorities for foreign companies that process personal data of EU citizens receive a point of contact for establishing contact and for possible "enforcement measures".

requirement

Every person responsible or processor based outside the European Union to whom the General Data Protection Regulation applies in accordance with Art. 3 Para. 2 GDPR is obliged to appoint a representative in the European Union in accordance with Art. 27 GDPR.

The appointment of a representative in the European Union is not necessary if the data processing takes place only occasionally, does not contain sensitive data within the meaning of Art. 9 GDPR (e.g. health data ) and taking into account the type, circumstances, scope and purposes of the processing is unlikely to result in a risk to the rights and freedoms of the data subjects. Foreign authorities are also excluded.

Order

In principle, any natural or legal person established in the EU can be a representative. The representative may be appointed for the entire EU or for one or more member states. However, according to Art. 27 Paragraph 3 GDPR, it must be located in a member state in which there are (also) those affected whose data is being processed. Several responsible bodies may also name the same person as a representative, as long as this does not result in a conflict of interests. The order must be made in writing; it is sufficient to comply with the text form (e-mail).

The representative must be specified in the data protection declaration in accordance with Art. 13 Paragraph 1 No. 1 GDPR .

A distinction is to be made between the representative under Art. 27 GDPR and the data protection officer . It is argued that the representative cannot be the data protection officer at the same time, since he is bound by instructions, but the data protection officer acts independently.

tasks

The representative acts as the company's contact point within the European Union, to which data subjects and supervisory authorities can turn in connection with the processing of personal data. Furthermore, the representative has the task of representing the person responsible with regard to the obligations incumbent on him under the General Data Protection Regulation, in particular with regard to the rights of data subjects (information, deletion, etc.). As mentioned, he is bound by the client's mandate.

However, the representative cannot limit himself to passing on information from his respective client to the supervisory authority or the person concerned. Because he is also the addressee of supervisory enforcement proceedings who are obliged to provide information to the supervisory authority, especially if his client violates legal obligations (see below).

In German law, the position of the representative in civil proceedings is specified in Section 44 (3) of the Federal Data Protection Act. According to this, the representative is considered to be authorized to receive service for complaints by data subjects due to a violation of the General Data Protection Regulation .

Finally, in accordance with Art. 30 (1) GDPR, the representative keeps a list of processing activities for all processing activities that are subject to his or her responsibility.

practice

Specialized law firms and IT consultancies offer the activity as a representative as a service and may represent many foreign companies at the same time.

liability

If the representative disregards the mandate of the client, he makes himself liable internally; the client must, however, be responsible for the actions of his representative. In external relationships, the representative is only the addressee of regulatory fines if he himself violates data protection law; otherwise he only acts as a representative of the person responsible without his own liability. This also applies to civil law claims for damages by those affected.

Individual evidence

↑ Recital 80; Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 marginal no. 8th.
↑ Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 Rn. 16; unsafe Kühling / Buchner / Hartung , GDPR BDSG, 2nd edition 2018, Art. 27 Rn. 13.
↑ Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 Rn. 6; Taeger / Gabel / Lang , 3rd edition 2019, Art. 27 para. 37.
↑ Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 Rn. 41 ff.
↑ Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 Rn. 38.
↑ Kühling / Buchner / Hartung , DS-GVO BDSG, 2nd edition 2018, Art. 27 Rn. 18th
↑ Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 Rn. 10, 32 ff .; Kühling / Buchner / Hartung , DS-GVO BDSG, 2nd edition 2018, Art. 27 Rn. 23 f.

[1] Recital 80; Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 marginal no. 8th.

[2] Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 Rn. 16; unsafe Kühling / Buchner / Hartung , GDPR BDSG, 2nd edition 2018, Art. 27 Rn. 13.

[3] Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 Rn. 6; Taeger / Gabel / Lang , 3rd edition 2019, Art. 27 para. 37.

[4] Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 Rn. 41 ff.

[5] Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 Rn. 38.

[6] Kühling / Buchner / Hartung , DS-GVO BDSG, 2nd edition 2018, Art. 27 Rn. 18th

[7] Gola / Piltz, DS-GVO, 2nd edition 2018, Art. 27 Rn. 10, 32 ff .; Kühling / Buchner / Hartung , DS-GVO BDSG, 2nd edition 2018, Art. 27 Rn. 23 f.