Designating a Representative in the EEA/UK


Organizations are required to designate a representative in the EEA/UK if the GDPR applies to them but they don’t have a physical establishment in any of those countries. The main purpose of this requirement is to simplify jurisdiction over foreign organizations; without someone from the organization being physically located inside of the EEA (or the UK, more on that below), it is much more complicated for European data protection authorities to enforce the GDPR against the organization.

This requirement does not apply if your processing of Europeans’ personal data meets all of the following conditions:

  1. The processing is occasional; and
  2. It does not include processing special categories of personal data or personal data related to criminal convictions on a large scale; and
  3. Is unlikely to result in a risk to rights and freedoms of natural persons.

What Is “Occasional” Processing?

Under the exception outlined above, most businesses will be primarily concerned with whether their processing of Europeans’ personal data is “occasional.”

Unfortunately, there is little concrete guidance on what the term means. In a different context (the GDPR’s record-keeping requirements), the UK’s Information Commissioner’s Office has said that occasional processing is something that is “a one-off occurrence or something you do rarely.”

The more often your business processes personal data from Europeans, the more likely it is required to designate a representative.

What Does a Designated Representative Do?

The role of designated representative is largely passive. The representative is someone who has been authorized in writing to receive communication—including legal service—on behalf of the organization regarding their processing of Europeans’ personal data. 

Additionally, the representative must maintain a record of processing activities (RoPA) for all processing that falls under the GDPR. They must make any RoPA documentation available to data protection authorities upon request.

A data protection officer (DPO) can serve as a designated representative, but this is not a requirement.

Is a Separate Representative Required for the UK?

Yes, unfortunately. Article 27 of the GDPR specifies that the controller or processor must designate a representative in the European Union (which no longer includes the UK), while the UK GDPR states that there must be a representative in the UK. The ICO has corroborated this interpretation.