- In accordance with Art. 27 in conjunction with Art. Art. 3 para. 2 GDPR, FIFA has appointed an EU representative from Switzerland based in Hamburg to fulfill data protection obligations in the EU.
- The HmbBfDI accepts a minimal presence (postal address, no permanent staff), provided that communication and real meetings ensure the representation function when required.
FIFA is known to be a Association based in Switzerland but operating internationally. It therefore has a – Hamburg-based – EU representative within the meaning of Art. 27 in conjunction with Art. 3 (2) GDPR. Art. 3 (2) of the GDPR (cf. the FIFA Privacy Policy). FIFA reported a data leak therefore, in line with a recommendation of the then Article 29 Working Party (Guidelines on Personal data breach notification under Regulation 2016/679, p. 18), at the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI).
In this context, the HmbBfDI held in its 27th activity report (2018) following Requirements for the EU representative fixed:
In addition to other globally active companies, the World Football Association has also appointed a legal entity as its representative, which is based in Hamburg. This is a provider that specializes in acting as a Union representative for third-country companies. In doing so, it uses an office in Hamburg minimal infrastructure with a postal address in a local community office and without own staffwhich is regularly on site. Such in the legal Gray area located is only sufficient if the representation of the responsible person is actually ensured. As long as – as here – the Communication with the representative’s employees operating from Switzerland works smoothly and if necessary, meetings in the Hamburg office community are held, the Hamburg branch office will fulfill the purpose of Art. 27 DSGVO.