Most US firms doing business in the EU (that have no establishment there) are required to appoint a representative – or face a GDPR fine of up to 10 Mio. € or 2% of the worldwide annual revenue, whichever is higher!
Most US businesses with no establishment in the European Union must appoint a representative.
Violation of this obligation can result in a fine of up to 10 Mio. € or more.
The Dutch Data Protection Authority fined LocateFamily.com 525,000 € for such a violation in December 2020.
Many US businesses are exporting goods or services (also) to the European Union or are using web analytics tools on their websites like Google Analytics. What most of them do not know: they must appoint a representative in the EU.
The General Data Protection Regulation ("GDPR") often applies even to non-EU businesses, if they do not have an establishment in the EU. The concept of the "marketplace rule" means that any business not established in the EU is nonetheless subject to the GDPR,
In short, this broad and complex provision means that most US businesses exporting to the EU (B2B or B2C) must appoint a representative.
If no representative is appointed, fines of up to 10 Million € or 2% of the worldwide annual revenue from the preceding financial year (whichever amount is higher) may be imposed.
In fact, in December 2020, the Dutch Data Protection Authority imposed a fine of 525,000 € for not appointing a representative in the EU. Because non of the other data protection authorities of the EU member states want to be seen as slacking or inactive, we fully expect many more proceedings and fines in the coming months.
… and non-compliance a real disadvantage! We have noticed a growing trend with our German and EU clients: More and more buying decisions are being made with GDPR compliance in mind. Put yourself in the shoes of your EU customers: What would you think if you spend countless hours, days or weeks hammering out a deal with a new service provider or supplier only to have it cut off at the knees at the last minute by your data protection officer? Or how would you like to have lengthy and costly (lawyers do not work for free after all) discussions with the works council whenever your business wants to deploy software from a new service provider?
To avoid or at least simplify these problems, more and more of your EU customers are putting compliance with data protection law first in their buying decision process. Because of that, service providers, vendors and other business partners from the US have a difficult time selling to EU customers without a representative in the EU.
Complying with the obligation to appoint a representative in the EU is relatively easy. All your business needs to do is conclude a contract with a professional in the field of data protection. Because the representative will be in contact with data protection authorities and your business partners, customers, users, etc. in the EU, it is very much advisable to appoint a representative experienced in the field of data protection law.
Even businesses with subsidiaries in the EU may be obligated to appoint a representative depending on their specific contracts with the subsidiaries. Hence, we recommend you talk to a lawyer from the EU about your specific business’ situation.