When your organisation processes personal data of individuals in the EU, the UK, or Switzerland but does not have a physical presence there, you are generally required to appoint a data protection representative in that jurisdiction.
This obligation applies separately in each territory. A representative appointed in one jurisdiction cannot cover the others.
Who needs to appoint a representative and where?
- UK or Swiss organisations processing personal data of individuals in the EU must appoint a representative in the EU.
- EU or UK organisations processing personal data of individuals in Switzerland must appoint a representative in Switzerland.
- Swiss or EU organisations processing personal data of individuals in the UK must appoint a representative in the UK.
If your organisation processes personal data across all three jurisdictions without establishments there, you may need to appoint representatives in each.
When the obligation applies
Work through these three questions:
- Do you lack an establishment in that jurisdiction?
An establishment is a local office, branch or other stable presence. If you are established there, the local representative rule does not apply.
- Does your processing target people in that jurisdiction?
Targeting usually means offering goods or services to people there (language, currency, delivery options, local contact details, etc.) or systematically monitoring behaviour (tracking, profiling, analytics aimed at residents). Mere accessibility of a website or an app is not enough.
- Are you a controller or a processor (and is the jurisdiction’s rule framed to include both)?
In the EU/UK the obligation applies to both controllers and processors without local establishment that fall within territorial scope. In Switzerland the requirement is framed differently and applies to private controllers under specific, cumulative conditions.
If the answers show you are not established there and your processing targets people in that jurisdiction, you will generally need a local representative.
Why are separate representatives required?
The EU, the UK, and Switzerland each operate distinct data protection frameworks. Each has its own regulators, enforcement processes, and local rules.
A representative acts as your organisation’s contact point for local regulators and data subjects. Because these frameworks are separate, a representative appointed in one jurisdiction cannot fulfil that role in another.
The cost of not appointing a data protection representative
Failure to appoint when required can result in significant penalties:
- EU – up to €10 million or 2% of annual worldwide turnover, whichever is higher
- UK – up to £8.7 million or 2% of annual worldwide turnover, whichever is higher
In addition to fines, you may face regulatory investigations and disruption to your operations.
Meeting the obligation in practice
Kanto offers data protection representative services in the EU, UK, and Switzerland. With us, you can meet all three obligations through a single point of contact.
- Three jurisdictions, one provider
- Consistent communication with regulators
- Aligned compliance across your operations
Book a free 20-minute call with Kanto today to find out how we can help you appoint the right representatives.
Image by macrovector_official on Freepik
