The obligation to appoint an EU representative for persons not resident or established in the EU (or EEA) is familiar to many companies from the area of data protection law. However, such an obligation can now be found in other legal acts in the area of “data and digital”. This overview provides an overview of the obligations for appointing an EU representative in EU data and digital law.
What is a representative?
In contrast to a “contact point” (cf. e.g. Art. 11 f. Digital Services Act), the “representative” must be domiciled or established – i.e. physically on site – in the Union. A mere letterbox company is not sufficient. However, one and the same person may be a representative under different legal acts and/or a representative for different represented persons. It is possible to appoint both group companies and “external” natural or legal persons as representatives.
First practical hints
Upon initial review of the purchase order obligations, the following points stand out:
The role and liability of the representative are often not regulated at all or not clearly. However, there is much to be said for using formulations such as
“It is possible to hold the legal representative liable for breaches of obligations arising from this regulation” (Art. 13 para. 3 DSA, cf. also Art. 17 para. 3 TCOR)
to be interpreted as meaning that the representative is only liable for a breach of own duties and does not fully assume the duties of the representative. The representative will hardly have the competences and powers of instruction to ensure the fulfillment of the diverse catalog of duties incumbent on the represented party (cf. only the notification and redress procedure, internal complaint management system and transparency reporting obligations in the Digital Services Act). According to the view expressed here, the represented party must therefore only grant the representative the resources and powers that are necessary for the representative to fulfill its explicit can fulfill the enumerated duties.
The duties of the representative are often limited to the duty to provide information and to cooperate with data subjects and supervisory authorities, but in some cases (especially in the draft Artificial Intelligence Act and the EDHS‑E) they go beyond this. Insofar as there is talk of the representative
“may be called upon in [the representative’s] stead by the competent authorities […] on any matter necessary for the receipt of, compliance with, and enforcement of any decision made in connection with this Ordinance” (Art. 13(2) p. 1 Digital Services Act)
According to the above, the representative is to be classified as a receiving representative for the receipt of resolutions, but as a declaratory messenger of the represented party for the answering of questions.
Also noteworthy is the duty of the representative provided for in the draft Artificial Intelligence Act to terminate his engagement if he has sufficient grounds to believe that the represented party is in breach of its obligations under the regulation. In such a case, he must also immediately inform the competent market surveillance authority. This obligation is surprising, since the appointment of the representative is intended to enable effective supervision and, if necessary, enforcement of the regulation against the represented party. This enforcement would be made more difficult as a result of the termination, since the representative would no longer be eligible as an agent for service of the represented party. Changes can therefore be expected here in the further course of the legislative proposal.