Back to all articles
A company not established in the EU must appoint a representative under Article 27 GDPR (market location principle, Marktortprinzip) if it:
- Offers goods or services to persons* located in the EU, regardless of whether those persons are required to make a payment
- Monitors the behaviour of persons located in the EU within the EU
- Processes data of persons located in the EU other than occasionally
- Processes data of persons located in the EU only occasionally, but that processing poses a risk to the rights and freedoms of those persons (example: a foreign bank occasionally assesses the creditworthiness of EU citizens by means of a rating procedure)
- Acts as a processor and processes data of persons located in the EU
The representative under Article 27 GDPR must be established in one of the EU member states in which the company collects data from individuals. The representative's principal task is to serve as a point of contact for data subjects and supervisory authorities in the EU.
*Definition of persons here: natural persons (individuals), but not legal persons (e.g. GmbH, Aktiengesellschaft)
