Controllers outside the European Union (EU)/European Economic Area (EEA) are bound by the provisions of the General Data Protection Regulation (GDPR) if they offer goods or services to data subjects within the EU (Art. 3 para. 2 letter a GDPR), monitor the behaviour of data subjects within the EU (Art. 3 para. 2 letter b GDPR) or if the law of a Member State is applicable due to international law (Art. 3 para. 3 GDPR). In the cases of Art. 3 para. 2 of the GDPR, the controller or the processor must always appoint a representative in the EU in writing pursuant to Art. 27 para. 1 GDPR.
In the following, these Guidelines are dedicated to the legal framework of the designation and is intended to serve as guidance for data controllers, processors and service providers.
Purpose
The purpose of Art. 3 GDPR is to provide both the data subjects and the supervisory authorities with a contact point. Art. 3 para. 2 GDPR extends the territorial scope of application for certain cases to third countries in which the supervisory authorities of the Member States have no competence and in which there would be a risk that the obligations of the controllers and processors located there would come to nothing. Thus, the representative is an important instrument for the effectiveness of law enforcement as well as for the protection of data subjects‘ rights under Art. 12 et seq. GDPR.
Views: 0
