The EU General Data Protection Regulation (GDPR) has a broad scope of application. It applies to any personal information, which may include name, contact details including e-mail address, payment information, IP address, device fingerprints, as well as location and other behavioral data.

It not only affects companies with establishments in EU member states, but also includes non-EU based companies which collect, receive, retain or otherwise use personal information on individuals in the EU, given that the company:

• offers goods or services to individuals in the EU, irrespective of whether such services are chargeable or free, or
• monitors the behavior of individuals.

Therefore, as a condition for the GDPR to apply, the company must somehow target the EU market. The threshold is very low as this may include, among others, the following business activities:

• budgeting ad campaigns targeted at consumers in the EU, such as through search engines and social networks, or displaying testimonials from the EU,
• offering services with an international nature, such as certain touristic activities,
• using EU website top-level domains such as .de, .fr., .es. or .eu or providing EU language versions of an online service or mobile application, if different from the language commonly used in the country where the company is based,
• accepting payments in Euro or another EU currency,
• mentioning the EU or its member states in the context of a good or service, or providing specific support contact details for EU customers,
• delivering goods to EU member states,
• profiling, including behavioral advertisement and processing of geolocation data, particularly for marketing purposes,
• online tracking with cookies or other tracking techniques such as device fingerprinting
• personalized digital diet and health analytics services,
• market surveys and other behavioral studies based on individual profiles,
• CCTV.

Depending on the individual case, the company may already be subject to the GDPR if only one of these triggers apply.

The scope also includes service providers which do not use personal data for their own purposes, but only on behalf of others (e.g. cloud services, SaaS providers).

To learn more about the extraterritorial scope of the GDPR, please click here for a summary of official EU guidelines or contact us.

The obligation to appoint an EU representative pursuant to Art. 27 of the General Data Protection Regulation (GDPR) applies to any company

• without an establishment in at least one of the EU member states,
• which processes personal information being subject to the GPDR (see question above).

Exempted are companies who meet the following requirements:

• only occasional processing of personal data of individuals in the EU,
• no large-scale processing of sensitive data such as information on health or criminal convictions, and
• processing is unlikely to result in a risk for individuals (e.g. using customer data only to fulfill a one-time order and no further data retention for marketing purposes).

Since these requirements must be met cumulatively, the scope for the exception is quite narrow. Whether such exception applies requires legal review in the individual case.

The main functions of an EU representative are, by law:

• to act as a local point of contact inside the EU for all inquiries relating to issues of data protection, particularly for customers and data protection supervisory authorities, often with legal effect for the company,
• to retain records of processing activities (Art. 30 GDPR) of the company in the EU,
• to cooperate with supervisory authorities in case of investigations.

CAVE is specialized in fulfilling these abovementioned requirements in a compliant and customer-friendly manner. In case you need additional services relating to data protection compliance, such as legal advice or the appointment of a Data Protection Officer pursuant to Art. 37-39 of the GDPR, we will be glad to get you in touch with our partners.

In case your company is obliged to appoint an EU representative but fails do to so, EU data protection supervisory authorities may issue penalties of up to 10 mio. € or 2% of your company’s global annual turnover, whichever is higher. According to EU laws, those fines may also be enforced against entities established in non-EU states.

Another aspect is that, since awareness in the EU regarding matters of data protection has raised enormously, your B2B or B2C customers in the EU pay attention whether you comply with GDPR obligations. The consequences of negative publicity coming along with reports on non-compliance may even exceed the damage caused by financial penalties.

Apart from general business compliance, appointing an EU representative triggers a one-stop shop for security incident reporting under the GDPR. If, for example, exploitable vulnerabilities cause an unauthorized disclosure of user data, companies are required to report such data breaches to the data protection supervisory authorities in Europe. Since there are 43 different national authorities, rolling out breach notifications is time-sensitive and costly, particularly considering that notifications must be within 72 hours. Companies with an appointed EU representative only need to submit a report to one single authority, even if the breach affects users in all EU countries.

The UK has left the European Union as of January 31, 2020. EU laws including the GDPR, however, continue to apply in the UK due to a transitional period which was agreed on under the UK Withdrawal Agreement between the EU and the UK at least until January 1, 2021. From then on, in the UK, a "national version" of the GDPR will govern matters of data protection.

With regard to the GDPR representative requirement, 3 different scenarios should be distinguished:

• Companies which are located neither in the EU nor in the UK (but are doing business with the EU and UK) will need to appoint an EU representative as well as a separate UK representative.
• Companies which are located in the EU (and do business with the UK) will need to appoint a UK representative.
• Companies which are located in the UK (and do business with the EU) will need to appoint an EU representative.

Whatever applies to your business, CAVE is ready to cover all legal requirements.