GDPR: Risk Profile of the Representative Further Clarified

December.02.2019

Deutsch: DSGVO: Haftung des Vertreters ausländischer Unternehmen weiter präzisiert

The European Data Protection Board (EDPB) has further clarified the liability risk profile of the Representative in its recently adopted guidelines, addressing the tasks and possible liability of the Representative. Pursuant to the GDPR, non-EU companies must designate a Representative if they are not based in the EU but process personal data of data subjects in the EU for the purposes of offering goods or services or monitoring their behavior.

Contrary to previous statements, the EDPB comes to the conclusion that the Representative cannot be liable or be subject to administrative fines for infringements committed by the companies it represents. However, the Representative shall be liable for its own misconduct, the EDPB states. It remains unclear whether this only means that the Representative can be liable for damages or whether it may also be subject to administrative fines.

Our Düsseldorf based Cyber and Data Privacy Assistant Tobias Lantwin has published an article on the tasks and risk profile of the Representative. He explains in detail which tasks the Representative has to take on and that there is no basis in the GDPR to impose fines against Representatives. Although the article is in German, you will find an English language abstract at the beginning of the article.

Related Lawyers

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Related Areas

Markets

Germany