Under what authority can the EU impose GDPR-related fines on companies with no presence or assets located within the EU?
The important thing to consider is that the GDPR has global territorial effect, in relation to the GDPR rights of data subjects in the EU. So therefore, if a business chooses to do business in the EU and does business with customers or clients or data subjects in the EU and is processing their data for that purpose (I’m referring to businesses here because primarily that’s the type of entities that we deal with but it needn’t be businesses only. Primarily it tends to be businesses that need this ) If the business is located outside of the EU, the important thing to consider is that it’s the rights of the data subject that’s located in the EU is what the GDPR is there to enforce. And so therefore the GDPR gives global territorial effect to those rights, and it means that fines or other sanctions that might be imposed by the GDPR or the civil liability that arises under the GDPR has global effect – that is a matter of fact. The requirement to appoint a representative is one of those requirements and the purpose of it is to give effective force to the sanctions that can be imposed by the GDPR International.