GDPR representative in the EU, what are the risks in case of non-appointment?

Table of content

Written By:

Nowadays, the GDPR’s extraterritoriality (Article 3.2) and its related obligation to designate a representative in the EU (Article 27) are some of its best-known features.

According to these, any entity without a European establishment but nevertheless subject to the GDPR must appoint a dedicated representative in the EU. The role and responsibilities of the latter have been detailed in numerous articles and guidelines.

However, as with any piece of legislation, GDPR risk is managed through a balancing act. The likelihood and severity of potential penalties are first identified, before being compared with the cost of the measures required to mitigate or eliminate the risk.

So, what is the actual likelihood and severity of the risk involved here?

Does this somewhat obscure Article 27, far removed from the GDPR’s cardinal principles, really make up the Supervisory Authorities’ top priority? Furthermore, wouldn’t the absence of any European establishment allow companies to evade scrutiny, and exclude this obligation from their risk management system?

Until mid-2020, this position was fairly arguable. However, the EU Commission’s new political will (I) has since been translated into a myriad of administrative sanctions, relating to both the absence of a representative (II) and the improper execution of his role (III).

I. A firm political will since 2020

Initially, the confused implementation of the GDPR within the European Economic Area was a sufficiently gargantuan task to monopolize both the EU Commission and the national Supervisory Authorities.

However, as intra-European enforcement became more systematic, the European Commission wished to revive the momentum for extra-European controls through a June 2020 Communication.

In the latter, the Commission recalls that “an important aspect […] of EU data protection rules is the extended territorial scope of the GDPR, which also covers the processing activities of foreign operators active on the EU market”.

It also considers it “essential that this extension is reflected […] in the implementing measures taken by data protection authorities“.

Finally, the Communication is concluded with an injunction to Supervisory Authorities: “The Committee is invited to […] ensure effective enforcement against operators established in third countries falling within the territorial scope of the GDPR, in particular as regards the appointment of a representative, where appropriate (Article 27)“.

With hindsight, this request has unmistakably been followed up by its recipients.

II. The multiplication of sanctions linked to the absence of a GDPR representative in the EU

As a first step, sanction procedures were initiated against companies that did not have any GPDR representative. In this regard, two cases are particularly noteworthy: “Locatefamily” and “Clearview AI”.

  • A €525,000 fine against Locatefamily.com

On May 12th, 2021, the Dutch supervisory authority inflicted a 525,000 euro fine (in Dutch only) on the company Locatefamily.com.

The platform, whose business is to list personal data on the internet, was fined solely for failing to appoint a GDPR representative in the EU.

Moreover, the SME was ordered to make this designation as soon as possible, under a penalty of an additional 20,000 euros per 15 days of non-compliance.

  • A 40 million euro double fine against Clearview AI

On February 10th, 2022, the Italian supervisory authority inflicted a 20 million euro fine (in Italian only) on the US company Clearview. On July 13th of the same year, the Greek authority found the same failings and imposed an identical and additional fine (in Greek only) of 20 million euros.

Clearview AI’s activity consists of scraping the web to collect images of people for facial recognition purposes. In this filing, the company has been accused of numerous breaches of the GDPR, including the lack of an EU GDPR representative.

However, it was the company’s poor management of people’s rights that attracted the attention of the supervisory authorities. Without a DPO or representative in the EU, the company failed to deal with several requests to exercise rights, which then turned into complaints to the authorities.

As a second step, and in addition to the lack of EU GDPR representatives, European Supervisory Authorities are also turning to the appointment of representatives who are unsuitable, or who do not fulfill all the obligations of Article 27.

III. The emergence of sanctions related to inadequate or insufficient RGPD representation

In the second phase, the European authorities have started to check the effectiveness of the appointment of RGPD representatives in the EU. In this respect, two cases stand out: those of Senseonics and Alpha Exploration.

  • A €45,000 fine against Senseonics Inc.

On July 7th, 2022, the Italian supervisory authority imposed a 45,000 euro fine (in Italian only) on Senseonics.

This US company, which had no establishment in the EU, was introducing medical devices into the European market. As such, it had appointed a “single representative” within the meaning of Directive 93/42/EEC on medical devices, whose role was to represent it before the European authorities.

However, the Italian authority considered that the appointment of a representative under this directive was “not adapted to meet the requirements of the GDPR”. Far from being a mere “mediator who merely puts people in touch, the GDPR representative must therefore be a person who acts on behalf of the principal about the GDPR obligations”.

Due to the efforts made to comply immediately, including the appointment of a dedicated GDPR representative, the company was only fined a relatively small amount.

  • A 2 million euro fine against Alpha Exploration

On October 6th, 2022, the Italian supervisory authority imposed a 2 million euro fine (in Italian only) on Alpha Exploration.

While the mining exploration company was accused of several breaches, the GDPR representative in the EU it had appointed did not fully perform the functions for which he was responsible.

For example, data subjects were told that any communication sent to the representative had to be sent to Alpha Exploration in parallel to be processed. In addition, instead of a dedicated email address, the GDPR representative had to be contacted through a web form, hosted on another URL, and subject to another privacy policy.

In this case, the representative seemed to play the role of, at best a passive mediator, at worst a strawman meant to protect his clients from a sanction.

Undoubtedly, European authorities have now taken up the issue of GDPR EU representation. Clearly defined in theory, extensively monitored and sanctioned in practice, this obligation has become very real and palatable. Up-to-date risk management systems are seemingly left with no choice, but to integrate article 27 from now on.

DPO Consulting is able to act as your EU representative. Do not hesitate to contact us to have a quotation.

Read this next

See all
Hey there 🙌🏽 This is Grained Agency Webflow Template by BYQ studio
Template details

Included in Grained

Grained Agency Webflow Template comes with everything you need

15+ pages

25+ sections

20+ Styles & Symbols

Figma file included

To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.

Grained Comes With Even More Power

Overview of all the features included in Grained Agency Template

Premium, custom, simply great

Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.

Optimised for speed

We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.

Responsive

Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.

Reusable animations

Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.

Modular

Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.

100% customisable

On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.

CMS

Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.

Ecommerce

Grained Template comes with eCommerce set up, so you can start selling your services straight away.

Figma included

To give you 100% control over the design, together with Webflow project, you also get the Figma file.