The European Data Protection Board (EDPB) has further clarified the liability risk profile of the Representative in its recently adopted guidelines, addressing the tasks and possible liability of the Representative. Pursuant to the GDPR, non-EU companies must designate a Representative if they are not based in the EU but process personal data of data subjects in the EU for the purposes of offering goods or services or monitoring their behavior.
Contrary to previous statements, the EDPB comes to the conclusion that the Representative cannot be liable or be subject to administrative fines for infringements committed by the companies it represents. However, the Representative shall be liable for its own misconduct, the EDPB states. It remains unclear whether this only means that the Representative can be liable for damages or whether it may also be subject to administrative fines.
Our Düsseldorf based Cyber and Data Privacy Assistant Tobias Lantwin has published an article on the tasks and risk profile of the Representative. He explains in detail which tasks the Representative has to take on and that there is no basis in the GDPR to impose fines against Representatives. Although the article is in German, you will find an English language abstract at the beginning of the article.