Frequently Asked Questions on PrighterGDPR-Rep

Prighter Europe Lock

Does our company need an Art 27 GDPR representative in the EU?

Which companies need an EU representative?

Companies established outside the EU are required to appoint an EU representative according to Art. 27 of GDPR if they:

  • offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or

  • monitor their behaviour (e.g. cookie profiling).

According to the Guideline 3/2018 of the European Data Protection Board (EDPB) on the territorial scope of GDPR, this applies to controllers and processors as well. For processors not established in the European Union the applicability of GDPR depends on what the “processing activities” are related to. If the data processing conducted for the controller is related to the offering of goods and services or to the monitoring of behaviour, GDPR applies to the processor in addition to the controller. 

Case 1: Online Gaming: You are an online gaming company located outside the EU and offer your games to data subjects in the EU free of charge. When using your games you analyse the data subjects' geolocation data, web-browser data and history, and show ads based on this data. As you target the EU market by offering your games and monitoring the users' behaviour you are legally required to appoint a GDPR Representative physically established in an EU member state to remain compliant. Violations of the EU GDPR can lead to substantial fines by authorities and exclusion from business activities in the EU.
Case 2: B2B SaaS: You develop CRM software and offer it as a SaaS product to companies, which are either targeting the EU without an establishment or which are located in the EU. Because your business clients are targeting EU data subjects and your CRM software product is processing and storing their data, you are also required to appoint a GDPR Representative physically established in an EU member state. Most likely your business clients in the EU will also require you to appoint a representative and enter into a data processing agreement. You can establish trust by already being GDPR compliant during the negotiation phase with your business clients.

Are there any exemptions from the obligation to appoint an EU representative?

Does my company offer goods and services to individuals in the EU?

Does my company monitor the behaviour of EU data subjects?

What fine may be imposed for non-compliance?

What to look for in an Art 27 EU GDPR representative and what is Prighter’s approach?

What are the responsibilities of the representative?

Where should a representative be located?

What is Prighter's approach to EU GDPR representation?

What is the difference between a DPO and an EU GDPR representative?

When do you need a DPO and when do you need a representative?