Who are the supervisory authority for GDPR if your company is located outside the EU? Who does that company report to?

Each member state in the EU has its own Supervisory Authority and the principles of the GDPR is that they’re supposed to be uniform across the EU and all supervisory authorities are supposed to adopt similar and unified approaches to the enforcement of the GDPR. Appointing a GDPR representative in the EU does not create an establishment in the EU for a business, necessarily. In fact, the business is only required to appoint a representative, if the business doesn’t have an establishment. So, appointing a representative is not going to create an establishment and is not therefore going to mean that the member state in which the representative has been appointed will be the lead supervisory authority, or whatever the case may be for that business.

If you look at it from first principles, if the business is outside of the EU and doesn’t have an establishment in the EU, it’s probably going to be the location of the data subject whose rights are being considered in any particular situation is probably going to be the primary determining factor in terms of what supervisory authority applies in relation to a complaint or issue that has been raised by that data subject.