Appointing a Representative vis-à-vis GDPR Compliance

Appointing an EU representative is crucial for any non-EU business that processes personal data of EU citizens. It helps ensure legal compliance with GDPR requirements, facilitates communication with EU authorities, protects data subjects’ rights, and builds trust with EU customers. 

If your business is based outside the European Union (EU) and processes personal data of EU citizens, it is mandatory to appoint an EU representative under the General Data Protection Regulation (GDPR). The GDPR is a regulation of the European Union that came into effect on May 25, 2018, and aims to protect the privacy of individuals in the EU by regulating the collection, use, and storage of their personal data. 

Representation in the European Union as mandated by the GDPR 

Here are some reasons why appointing an EU representative is essential: 

  • Legal Compliance: The GDPR requires that non-EU businesses that process personal data of EU citizens appoint an EU representative. Failure to appoint an EU representative can result in legal penalties, such as fines, which can be substantial. 
  • Facilitates Communication: Appointing an EU representative can facilitate communication between your business and EU authorities responsible for data protection. The EU representative can serve as a point of contact for data subjects and data protection authorities in the EU, helping to ensure compliance with GDPR requirements. 
  • Protects Data Subjects’ Rights: An EU representative is responsible for ensuring that data subjects in the EU are informed about how their personal data is being processed and their rights under the GDPR. This includes the right to access, rectify, erase, restrict, and object to the processing of their personal data. 
  • Builds Trust: Appointing an EU representative can help build trust between your business and EU customers. It shows that your business is committed to protecting their personal data and complying with EU data protection laws, which can be an important factor in gaining and retaining customers. 

Compliance Mandate as per the GDPR 

Under Article 27 of the GDPR, non-EU businesses that process personal data of EU citizens are required to appoint an EU representative. The EU representative acts as the point of contact for data subjects and supervisory authorities in the EU, ensuring compliance with GDPR requirements. 

The GDPR has strict penalties for non-compliance with its provisions, and fines can be substantial. Here are some examples of GDPR fines and penalties for non-compliance: 

  • Google was fined €50 million ($57 million) by the French data protection authority, CNIL, in 2019 for failing to obtain valid consent for personalized ads. CNIL found that Google’s users were not sufficiently informed about the use of their personal data. British Airways was fined £20 million ($27 million) by the UK Information Commissioner’s Office (ICO) in 2020 for failing to protect its customers’ personal data. The ICO found that the airline had poor security measures in place, which led to a data breach affecting over 400,000 customers. H&M was fined €35 million ($41 million) by the German data protection authority, Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), in 2021 for unlawfully collecting and storing personal data of employees. HmbBfDI found that H&M had gathered extensive personal information about its employees, including their health and private lives, without a legal basis. 
  • Marriott International was fined £18.4 million ($23.9 million) by the UK ICO in 2020 for failing to protect the personal data of millions of guests. The ICO found that Marriott had insufficient security measures in place and had failed to detect a cyber-attack that resulted in the theft of guests’ personal data. Amazon was fined €746 million ($887 million) by the Luxembourg data protection authority, CNPD, in 2021 for violating GDPR data protection laws. The CNPD found that Amazon had processed personal data in a way that did not comply with the GDPR, particularly in relation to advertising and marketing practices. Vodafone Spain was fined €8.15 million ($9.7 million) by the Spanish data protection authority, AEPD, in 2020 for unlawful telemarketing practices. The AEPD found that Vodafone had contacted individuals without their consent, used data for marketing purposes without authorization, and had not provided an adequate way to unsubscribe from marketing communications. 
  • Google Ireland was fined €100 million ($121 million) by the Italian data protection authority, in 2021 for violating GDPR data protection laws. It was found that Google had unlawfully processed users’ personal data for advertising purposes without obtaining sufficient consent. 

Tsaaro for EU Representation as a Service 

Tsaaro’s EU Rep service is an excellent choice for non-EU businesses that want to ensure GDPR compliance, protect their customers’ personal data, and avoid penalties for non-compliance. Here is why:  

  • Tsaaro’s EU Rep service provides a cost-effective and hassle-free solution for non-EU businesses that process personal data of EU citizens. 
  • Our EU representative acts as a point of contact for data subjects and supervisory authorities in the EU, ensuring compliance with GDPR requirements. 
  • Our team of experts has extensive knowledge of GDPR regulations, and we can provide advice and support on all aspects of GDPR compliance. 
  • We offer customized services tailored to your business needs, such as GDPR compliance audits, data protection impact assessments, and data breach notification services. 
  • With Tsaaro’s EU Rep service, you can save time and resources and focus on your core business activities without worrying about the complexities of data protection laws. 
  • We stay up-to-date with the latest GDPR regulations and provide ongoing support to ensure that your business stays compliant. 
  • By appointing Tsaaro’s EU representative, you can build trust with EU customers, demonstrate your commitment to data protection, and avoid penalties for non-compliance. 
  • We offer transparent pricing and excellent customer support, ensuring that you receive the highest level of service and value for your investment.

Major Privacy Updates of the Week

Upcoming US Senate Bill to set age minimum for access to social media:

Children’s access to social media is expected to be regulated by the introduction of legislation by a bipartisan group of U.S. Senators. 

The bill would prohibit children who are under the age of 13 from accessing social media, and children aged between 13-17 are expected to be allowed with the consent of their parents. How the verification of the children’s age remains unclear. 

Read more.

Ukrainian cyber police arrested a man for selling data to Russian buyers:

A 36-year-old man was arrested by the Ukrainian cyber police for selling the data of Ukrainian and EU citizens. 

The police stated the stolen data were sold based on the volume. Information like passport details, taxpayer numbers, birth certificates, and bank account data was contained in the databases that were discovered by the officers. 

Read more.

Data Protection inquiry over ChatGPT launched by Germany:

The data privacy concerns over ChatGPT resulted in the launching of the inquiry by Germany.

The authorities of Germany wanted to verify whether OpenAI and the EU law inform the people whose data has been used by ChatGPT, it also demands an answer from the US maker OpenAI. 

Read more.

Double Supply chain attack – 3CX compromised:

The Cybersecurity firm Mandiant has reported that the breach of 3CX was caused by an earlier futures trading platform Trading Technologies. This is known to be the supply chain attack caused by another supply chain attack.

However, the source of the breach was said to be caused due to an employee downloading a piece of outdated trading software. 

Read more.

IMF paper states the absence of data protection law in India possess a privacy risk:

As per the reports stated in the IMF paper, there were 80 million Indian users were affected by the data breach incidents in 2021.

According to IMF, the absence of comprehensive data protection legislation is still missing in India where the privacy and the digital rights of users are at risk. 

Read more

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay


Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro