Controller/Processor outside the EU

The GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union

This being the case,

The controller or the processor shall designate in writing a representative in the Union.

The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with the GDPR.

The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

Failure to comply could subject you to level 1 fines – i.e. EUR10 million or 2% of global turnover.

Determining establishment and the offering of goods and services

Example 1 – your company is based in Australia and you sell services, globally over the Internet, including to EU users – basic services are free of charge, with payment required for enhanced services. You don’t have any operations or sub-contractors on the ground anywhere in the EU. Your company must comply.

Example 2 – your company’s head office is based in Hong Kong and you have global operations in engineering. You have a branch office in Dublin, Ireland. This means that the Dublin office must comply with GDPR as it operates within Ireland and the EU. However, let’s extend the example. What if the Dublin office uses your global HR system, which is based in Hong Kong. For any transfers of employees’ personal data outside of the EU, your company must comply with requirements for transfers to third countries i.e. binding corporate rules and/or model clauses.

NOTE: the mere presence of a representative in a Member State does not trigger the one-stop-shop system. This means that controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative. Read more about one-stop-shop here

The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.