If you collect, process, or control EU citizen data, you need a data protection representative.
If you do business with EU citizens, you must comply with General Data Protection Regulations (GDPR), including the mandate in Article 27 requiring many non-EU companies to appoint a data protection representative (DPR) in the EU.
To learn more, I contacted Tim Bell, managing director of DPR Group, a provider of EU DPR services through its network of 28 locations (one in each EU member state). Tim prefers the term “EU representative” to DPR, use of which can cause some confusion with the separate role of data protection officer (DPO) found in GDPR Article 37. DPR and DPO are distinct roles that should be undertaken by different people at different companies; still, many people confuse them.
What is the requirement for a DPR, as spelled out in Article 27?
Article 27 of GDPR requires that a company which a) is outside the EU (i.e., has no EU office), and b) provides goods or services into the EU (whether at a cost or for free) or monitors people there (e.g., follows individuals’ Internet activity with use of a cookie), must appoint an EU representative. This applies whether the company is a data controller or a data processor for the purposes of GDPR.
There are exemptions — mainly for public sector organizations and matters outside the scope of EU law (e.g., national security). There’s also an exclusion for companies that undertake only “occasional” EU data processing, but as “occasional” has yet to be clarified, it might be best not to rely on this exemption until there’s some clarity. (When asked, I usually say that if a company’s data processing is more than 5-10% in the EU, or if it processes data for more than a few hundred EU individuals, it should be very cautious when relying on this exemption.)