The appointment of an EU representative is required for controllers or processors who do not have an establishment within the EU but process the personal data of EU citizens—regardless of whether the processing takes place online or offline. The framework for the tasks and related requirements of the EU representative is set out in Article 27 of the GDPR.

Accessibility: The EU representative must be easily accessible to data subjects and the data protection authorities of the Member States.

Representation of the controller or processor: The EU representative serves as a point of contact for data subjects and supervisory authorities regarding the obligations of the controller or processor under the GDPR.

Representation for processing activities within the scope of the GDPR: The representative is responsible for processing activities that fall under the scope of the Regulation as defined in Article 3 GDPR, and for which the controller or processor is not established in the EU.

Acting on behalf of the controller or processor: The EU representative acts on behalf of the controller or processor in relation to certain GDPR obligations, particularly in cooperating with supervisory authorities and responding to data subject requests.

Practical implementation: The Hamburg Commissioner for Data Protection and Freedom of Information stated in his Activity report 2018 that neither own staff nor dedicated office space is required for an EU representative. However, it must be ensured that smooth communication and the possibility of in-person meetings on-site are available. Most representatives therefore are likely to use shared office spaces that include meeting facilities.