Art. 27 of the European Data Protection Regulation (GDPR) requires any company that (i) processes personal data in connection with providing services or products to the European Union or (ii) that monitors the behavior of data subjects in the EU and which is located outside the EU to appoint a so called representative. Only few companies can rely on the following exception to appoint a representative: The processing must occasional only and does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
In sum, most companies that are subject to GDPR must appoint a representative.
Your EU representative shall be legally appointed to represent you when dealing with data protection supervisory authorities in the EU or with responding to data subject queries.”
The representative shall be mandated by the non EU company (controller or processor) to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with the GDPR. The representative is an authorized representative for the receipt of legal documents.
The designated representative must be established in one of the EU Member States where the processing takes place. It must be a natural or legal person designated in writing by the controller or processor in accordance with Article 27 (GDPR). A legal entity is a natural, legal or other person who has legal rights and obligations. The representative does not have to be a lawyer or privacy advocate.