Companies established outside the EU are required to appoint an EU representative according to Art. 27 of GDPR if they:

• offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or
• monitor their behaviour (e.g. cookie profiling).

According to the Guideline 3/2018 of the European Data Protection Board (EDPB) on the territorial scope of GDPR, this applies to both controllers and processors. For processors not established in the European Union the applicability of GDPR depends on what the “processing activities” are related to. If the data processing conducted for the controller is related to the offering of goods and services or to the monitoring of behaviour, GDPR applies to the processor in addition to the controller.

Case 1: Online Gaming: You are an online gaming company located outside the EU and offer your games to data subjects in the EU free of charge. When using your games you analyse the data subjects' geolocation data, web-browser data and history and show ads based on this data. As you target the EU market by offering your games and monitoring the users' behaviour you are legally required to appoint a GDPR Representative physically established in an EU member state to remain compliant. Violations of the EU GDPR can lead to substantial fines by authorities and exclusion from business activities in the EU.

Case 2: B2B SaaS: You develop CRM software and offer it as a SaaS product to companies, which are either targeting the EU without an establishment or which are located in the EU. Because your business clients are targeting EU data subjects and your CRM software product is processing and storing their data, you are also required to appoint a GDPR Representative physically established in an EU member state. It is likely that your business clients in the EU will also require you to appoint a representative and enter into a data processing agreement. You can establish trust by already being GDPR compliant during the negotiation phase with your business clients.

According to Art. 27 GDPR, controllers or processors are exempted from the regulation if ALL of the following criteria are met:

• personal data is only processed occasionally, which is only from time to time and non-systematic; AND
• data processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences; AND
• data processing is unlikely to result in a risk to the rights and freedoms of data subjects. It is hard to meet ALL of these criteria, in particular the criterion of processing data only occasionally proves to be a big hurdle for most businesses.

Your company's intention to establish commercial relations with EU customers needs to have manifested in a business activity. The mere accessibility of a website in the EU, a mention on the website of an e-mail or geographical address, or of a telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the intention to offer goods or services to EU customers. The European Data Protection Board listed the factors to be taken into account when assessing if goods and services are offered in its Guideline 3/2018 on the territorial scope of GDPR. Some of those factors are:

• using languages of EU Member States, or offering payments in a currency of an EU Member State;
• using Google or Facebook ads to address the EU market, or any other marketing activity directed towards EU customers;
• mentioning EU references or testimonials;
• the activity at hand being of an international nature, such as certain tourist activities;
• mentioning dedicated addresses or phone numbers to be reached from an EU country;
• use of EU top-level domains;
• description of travel instructions from one or more other EU Member States to the place
where the service is provided;
• offering the delivery of goods to EU Member States;

In a nutshell, if your company has any outbound activity in the EU or if your company enables or guides EU customers to find your company's product, GDPR is likely to apply.

Case 1: A website, based and managed in Turkey, offers services for creating, editing, printing, and shipping personalised family photo albums. The website is available in English, French, Dutch, and German, and payments can be made in euros or sterling. The website indicates that photo albums can only be delivered by mail in the UK, France, Benelux, and Germany.

Case 2: A Swiss University offers summer courses in international relations and specifically advertises this offer in German and Austrian universities in order to maximise the courses’ attendance. In this case, there is a clear intention from the Swiss University to offer such services to data subjects who are in the European Union, and GDPR will apply to the related processing activities.