Is the GDPR still applicable to a company not established in the European Union?

Background and purpose

Is the GDPR (General Data Protection Regulation) mandatory for a company, which is not established in the European Union? Is globalisation and the global network a reason not to apply the rules and obligations of the GDPR?

The GDPR is a European legislation. Are firms with domiciles in third countries affected and obliged to adhere to the regulations, if they offer merchandise and services to people who are living within the EU?

In this article I would like to examine in which ways the regulations of the GDPR have to be fulfilled, if a Controller (for example a company) is established in a third country, for example in Switzerland. Furthermore, I would like to show in which way this company can offer its services on a legal basis in the European Union (Note: Controller hereinafter denotes “Controller and Processor).

Companies, that are affected

First it is important to define the territorial scope. The material scope shall not be reviewed.

The territorial scope for this example is defined in the Article 3(2) GDPR as follows: “This Regulation applies to the processing of personal data of Data Subjects who are in the Union by a Controller or Processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the Data Subject is required, to such Data Subjects in the Union; (...)”¹.

But what does this mean in detail? There are several aspects to be pointed out here: The company has no branch in the Union. It offers goods and services to people who are in the Union. This means, that these people, whose personal data will be processed, must not be residents of a European member-state².

Finally, the law says “(…) irrespective of whether a payment (…) is required (…)”. The legal force is regardless of the existence of a valid contract³.

Furthermore, Article 3(2b) is very interesting, as it specifies, that this regulation is also mandatory for “(…) the monitoring of their behaviour as far as their behaviour takes place within the Union.” (Note: With “their,” Data Subjects are meant).Recital 24 GDPR explains, that “monitoring of their behaviour” relates to internet activities, which can be monitored, tracked and subsequently processed. One objective for this could be to create a profile of the behaviour of the customer and Data Subject. In this case, surveillance and tracking with cookies, tags or pixels (for example facebook Pixel) etc. is meant, as far as the behaviour of the internet users takes place within the Union⁴. I would not like to go beyond the scope too much, so I will not go into more detail regarding Article 3.

The summary of aspects are:

• Companies, which are not established in the Union, are concerned,
• the companies offer goods and services to people who are in the Union
  and/or
• these companies would like to monitor the behaviour of Data Subjects.

But what do companies have to fulfill, if they operate within this scope?

The solution: A Representative in the Union

We find the answer in Article 27(1) of the GDPR: “Where Article 3(2) applies, the Controller shall designate in writing a Representative in the Union.” This means, a company has to designate a Representative and this has to be done in writing.

Who can be a Representative?

The Representative can be a private individual, a company or an association. He has to be designated in writing and must have his residence within the Union. It is not necessary, that the Representative is a part of the company of the Controller. Very important is, that the Representative cannot be the Data Protection Officer at the same time. Recital 80 says, the Representative is mandated by the Controller and thus bound to the instructions of the Controller. In contrast the Data Protection Officer has to be independent of the instructions of the Controller⁵.

Function of a Representative

In our case the company has no branch in the Union. For this reason, the supervisory authorities need an access point for the approach and maybe for joint enforcement. Furthermore, the Representative is a necessary point of contact for Data Subjects.So, the designation of a Representative is most important for the interests of third parties, for whom the GDPR makes possible the enforcement of their rights⁶.

Prerequisites for the designation

As mentioned before, the article 3(2) GDPR must be applicable (see section “Companies, that are affected”). The designation has to be done in writing. However, it is not clear by law, if the designation, the assignment or the appointment has to be done in writing. The guidelines are not consistent, but the procedure to designate an individual or legal person as a Representative in the Union, meaning the specific indication of information about the person, its address and its function as a Representative, has to be done in writing⁷.

A further prerequisite is that the Representative has to be established in one of the member states, in which the Data Subjects, to whom goods and services are offered and of whom private data is processed (or whose behaviour is monitored), currently reside. It is not necessary to designate a Representative for each member state of the Union. Artice 27(3) GDPR merely says “in one of the Member States”⁸.

Exceptions

There are the following exceptions of the designation:This obligation shall “not apply to processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to Article 9(1) or processing of personal data relating to criminal convictions and offences referred to Article 10, and if it is unlikely to result in a risk to the rights and freedoms of Natural Persons, (…)” (see Article 27(2)).

So one exception is, if a company does not process data on a large scale, there is no processing of special categories (Article 9(1)) or processing data relating to criminal convictions and offences.Another exception is, if the processing of private data is not a risk to the rights and freedoms of Natural Persons⁹.
Data processing by public authority or body is the last exception¹⁰.

Stance between Representative and Controller

As maintained by Recital 80 GDPR, the Representative acts in the name of the Controller and is an point of contact for the Supervisory Authority. He “represents the Controller or Processor with regard to their respective obligations under this Regulation;” (Article 4(17) GDPR).Therefore, the representative acts on behalf of another person and with a legal power of representation. But the representative acts “without prejudice to legal actions which could be initiated against the controller himself.” (Article 4(2) RL/95/46/EG)¹¹.

On the other hand, the Representative acts within minor scopes for decision-making. In Recital 80 GDPR it is determined, that the “Representative should perform its tasks according to the mandate received form the Controller or Processor (…). This means the company (Controller) defines the extent of the power of representation¹².

But what happens if there is a legal breach caused by the Controller? Is the Representative responsible for this by civil or penal law? The problem is that this case is not consistently regulated within the Member States. In some states the Representative can be punished, in other states there are no such regulations¹³.

Duties of the Representative

As mentioned before, the Representative poses a point of contact for the supervisory authorities, for their joint enforcements and for requests of Data Subjects, too.

The legal responsibility remains with the company and will not be transferred to the Representative. The Representative only supports the company in fulfilling the obligations under the GDPR¹⁴.

But there are also some duties the representative has to carry out for himself. For example, he has to provide the “Records of processing activities” if the Supervisory Authority requests this (Article 30(2) GDPR). Furthermore, the Representative is obliged to cooperate with the supervisory Authority (Article 31 GDPR).

If there is a legal infringement against the law caused by the company, the Representative can be affected via enforcements of the Supervisory Authorities. What the enforcement exactly includes is not really clear and is discussed in many aspects by Gola (“DS-GVO, Datenschutz-Grundverordnung VO(EU) 2016/679)¹⁵.

Infringement

If there is an infringement, the Controller is liable for this, not the Representative. The Representative shall be mandated to be addressed by Supervisory Authorities only (Article 27(4) GDPR). However, the Representative has its own duties which he must fulfill. In case he infringes against his own duties, he can be punished by the Supervisory Authority¹⁶.

Synopsis

Companies or processors, who do not have a branch in the Union, are not free of the obligations of the GDPR. On the contrary, if they offer goods and services and process personal data of people, who currently stay in the Union, but are not necessarily citizens of the respective state, these companies are obliged by the GDPR.This is also applicable in case a website monitors, tracks and processes the behaviour of visitors.Companies, who are affected by this, must designate a Representative who is established in the Union. The Representative has to be designated in writing. The company remains responsible itself and the Representative serves as a point of contact. The representative acts on behalf of the Controller for requests of the Supervisory Authority. In general, the company is responsible itself for its infringements. In some cases, the Representative has his own duties and obligations and is thus responsible himself. In case of infringement he can also be punished.

Source references