A representative will act on your behalf regarding your GDPR compliance and will be a point of contact with data protection authorities and individuals in the EU.
You need to appoint a representative even if you do not have an office in the EU but you are:
There are some limited exemptions to this requirement. For example, if your processing of EU individual's personal data is occasional, it is of low risk to their data protection rights, and it does not involve the large-scale use of special category or criminal offence data.
A similar requirement to appoint a representative applies if you are an EU-based business providing services in the UK and do not have a UK office.
A representative can be an individual, a company or organisation established in the EU that can act on your behalf regarding your compliance with the GDPR.
It is up to you in which country you appoint your representative, but they should be appointed in a member state where some of the individuals to whom you are offering recruitment services are based. If you provide recruitment services in more than one EU country, some consideration should be given to which country is the most appropriate choice for your business and where the representative can act on your behalf most effectively.
A representative must be appointed in writing, usually in the form of a written agreement which sets out the relationship between the parties.
There are numerous businesses offering this service and we suggest you do some due diligence on them before you appoint them. We suggest looking for a business or an individual that is regulated by a professional body and make sure you check your contract with them carefully.
Appointing a representative does not mean they are responsible for your compliance with the GDPR. You will remain liable for compliance and any breaches but the representative may be subject to enforcement action by EU data protection authorities.