If you do not have an office in the EU/EEA, but still process data from individuals based in the EU/EEA, then you still need to comply with the GDPR regarding your data processing and the GDPR requires you to appoint a representative.
If you do not have an office in the EU/EEA, but still process data from individuals based in the EU/EEA, then you still need to comply with the GDPR regarding your data processing.
As you do not have a base inside the EU/EEA, the GDPR requires you to appoint a representative. This representative needs to be set up in an EU or EEA state where some of the individuals whose personal data you are processing are located.
You need to authorise the representative, in writing, to act on your behalf regarding your GDPR compliance. Be aware that a Data Representative is not a Data Protection Officer (DPO). It is a distinct role with its own responsibilities.
The representative’s role is to ensure that you comply with the GDPR by enabling communication with individuals in Europe and European data protection authorities.
Your representative can be an individual, or a company or organisation, and must be able to represent you regarding your obligations under the GDPR (e.g. a law firm, consultancy or private company).
You should give details of your representative to EEA-based individuals whose personal data you are processing, this should be done by including the contact details in your privacy policy. The representative must also be able to act on your behalf with European data protection authorities.
Lastly, the representative will help you meet your Article 30 requirements (records of processing activities) and provide you with updates relating to the GDPR.
Read more about the record of processing.
You will most likely need to appoint a representative, If you are based outside the EU/EEA and do not have a branch, office or other establishment in any other EU or EEA state, but you either:
Learn more about Privacy Hub →