In these FAQs we’ll use “EU”, although this applies throughout the EEA (EU plus Iceland, Liechtenstein and Norway). And everything here applies also under the UK GDPR if we are processing data of individuals in the UK and don’t have any office there.
Who needs to appoint an EU representative?
Data controllers and data processors without an office or establishment in the EU need to appoint a representative in the EU if they process personal data of individuals in the EU for the purposes of:
a) offering them goods and services (paid or free); or
b) monitoring their behaviour (including tracking their online behavior or subsequently using such data for profiling).
What exceptions exist?
The only exceptions are where the processing is occasional (and that exception also does not apply if special categories of data or criminal records data are processed on a large scale or the processing could involve risks for individuals’ rights and freedoms).
If we are just a data processor does this also apply?
Even if we are a data processor only, then this still applies and we need to appoint a representative. So for example, if we:
- regularly process EU individuals’ data for the above purposes
- receive even an occasional assignment to process EU health or other special category data or “high risk” data such as credit card data
then we would still need to appoint an EU representative.
How does this change after Brexit?
From 31 December 2020, the UK ceased to be covered automatically by EU laws and so, if the above rules are met, UK companies now also need a representative in the EU.
Companies from anywhere else will need a representative both in the EU (under the GDPR) and in the UK (under the GDPR as applied in the UK, unless UK laws now change in this respect).
If we had our EU representative located in the UK then now we’ll also need one in the EU.
What are the EU representative’s tasks?
The purpose of requiring data controllers and processors to appoint a representative is primarily for communications:
a) receiving communications from EU data supervisory authorities and individuals; and
b) keeping required records of processing activities.
Where can the EU representative be based?
The EU representative must be based on one of the 27 EU Member States. It doesn’t need to be a place that has a particular connection to the data controller or data processor that is represented, or where the DPO is based or has been notified to a supervisory authority. However, it should be in a Member State where at least some of our data subjects are located.
Is an EU representative the same as a DPO?
No. The data protection officer is a senior appointment required for companies in order to provide independent advise on data protection issues. Only some organisations need a DPO, but almost any non-EU organization handling EU individuals’ data may need an EU representative.
In addition, if you have a DPO based in the EU, it is not good practice also to appoint them as EU representative – the representative takes instructions from the controller or processor, while the DPO needs to be an independent advisor and not to take instructions.
Does appointing an EU representative in a member state make that country’s supervisory authority the lead authority for any investigation?
No. The GDPR’s “One Stop Shop” (under which organisations only need to deal with a single EU supervisory authority for any investigation of cross border processing) applies only where a controller or processor is established in the EU. If we have no office in the EU and therefore need to appoint an EU representative then we cannot benefit from the OSS. This means we might have to deal with authorities in every EU member state where there are data subjects whose data we process.
Does appointing an EU representative affect our legal liability?
The representative is liable for any breaches it commits of its obligations to communicate with data subjects and supervisory authorities and keep available the organization’s record of data processing activities. But otherwise, no, designating an EU representative does not affect the controller’s or the processor’s responsibility or liability. The controller or processor remains liable and accountable.
What formalities are required for the appointment?
The representative should be appointed in writing and expressly mandated to receive communications on behalf of the controller or processor.
The method of making public the identity and contact details of the representative is to simply include them in our privacy notice which is addressed to data subjects in the EU/EEA/UK. It must also appear in the record of processing activities.
Will we be fined if we don’t do this?
The theoretical and self-serving answer would be “yes, up to EUR 10 million”. The real answer is that if this is our only failing under the GDPR then I’m confident we won’t be fined. Of course, if we have everything except this arranged then it seems odd not to ensure this is also covered. And if, like most organisations, we don’t quite have everything in place then this is one thing that we can easily cover off and one less thing to worry about.
License: Creative Commons 3 – CC BY-SA 3.0
Attribution: Alpha Stock Images – http://alphastockimages.com/
Original Author: Nick Youngson – link to – http://www.nyphotographic.com/
Original Image: https://www.picpedia.org/highway-signs/r/representative.html (cropped))