The GDPR has raised the concept of an EU representative for firms that the rules may catch on processing data in the EU without an EU presence. The relevant company must provide products or services in the EU, but, above all, it must systematically monitor the people’s behaviour in the EU. If this is the case, then under the GDPR rules. This person/company will be the primary contact for any questions and concerns regarding data protection from any EU citizen or any data protection supervisory authority.
What is an EU Data Representative?
The GDPR covers the Data Representative issue in Article 27. According to Article 27(3), the Data Representative is:
- Nominated by the controller or processor to be addressed in addition to the controller or processor (by EU regulatory bodies)
- Established in a member state where you process personal data (or monitor behaviour)
They can be a natural or legal person based in the EU, whom the EU or relevant GDPR supervisory authorities can contact for any issue related to your data processing.
Who Needs an EU Data Representative?
You need an EU Data Representative if you process large amounts of data from EU data subjects or if you process special categories of data and you don’t have an office in the EU.
Your EU Representative is like your public face in the EU. It is easier for international bodies to get in touch with someone based in the EU/EEA than to request contact with a business elsewhere. So, in addition to your Representative providing timely updates about EU law, the regulatory authorities can also bring proceedings against the Representative for breaches you committed.
Article 27 applies to controllers and processors whose GDPR compliance is mandated by Article 3(2), which says:
“This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) The monitoring of their behaviour as far as their behaviour takes place within the Union.”
However, Article 27(2) provides an exception for processors outside the Union whose processing:
- Is occasional
- Does not include large-scale processing
- Does not include special data categories (described in Article 9(1))
- Is unlikely to present risks to the “rights and freedoms” of EU data subjects
It also doesn’t apply to a public body.
In other words, if you are a big retailer without an EU office but regularly serve customers in the EU, then you need an EU Representative. For example, Macy’s, the department store, ships to the EU and courts EU customers. It requires an EU Representative.
If you’re a mom-and-pop shop with an e-commerce store and the occasional EU customer (one every few months), then Article 27(2) allows you to skip the Data Representative requirement. You simply don’t process enough data or present enough risk to EU data subjects to qualify. However, if you have a steady revenue stream from the EU, you process special types of data, or you intend to expand your business, you should nominate one, even if only to be extra safe.
Who Can Be Your EU Data Representative?
Your Data Representative can be a natural or legal person (like an attorney or specialist) located in the EU member state where you process the most data. Privacy Experts and Law Firms will likely pop up to fulfil this role. Why? Because Recital 80 of the GDPR says that:
“The designated EU Representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”
It is difficult to bring lawsuits against parties located outside the relevant state. Your Representative is a means of reaching your company were national or international law won’t. They have to appear in court even if you don’t technically have to show up.
How to Appoint an EU Data Representative?
If you need an EU Data Representative, the law says you must appoint them in writing.
Your EU Data Representative Appointment Letter must include:
- Your company name and address
- Your EU Representative’s name and contact details
- A reference to the need to appoint one as a result of Article 27
- Additionally, your contract should include the following details:
- Conditions of the appointment (pay, hours worked, termination notice, etc.)
- Clauses balancing liability
- Indemnity clause
- An NDA
These details protect your company from disclosures or mistakes made by your Representative.
First, the GDPR requires the nomination to occur “in writing.” Second, it serves as a written contract between your company and the Representative. The EU can use the agreement to exercise its right to bring proceedings against your Representative in the event that it cannot reach you.
What’s the Difference Between an EU Data Representative and a Data Protection Officer (DPO)?
As mentioned earlier, the Data Representative and the Data Protection Officer (DPO) do not have the same roles. They apply to different parties, and they perform other functions.
In theory, the distinction is straightforward. If you have an EU office and process either “large volumes” or “sensitive data” or are a public body, then Article 37 requires you to appoint a Data Protection Officer. The rule applies to both companies inside the EU and outside the EU. A DPO can also be inside or outside the organisation (an employee or a third party).
If you don’t have a physical operating presence in the EU, you must appoint an EU Representative. You may or may not also need a DPO. However, a Representative is a moot point for anyone with an EU base.
What’s more, the DPO has distinct responsibilities that they must fulfil. These responsibilities include:
- Educating staff on compliance and GDPR responsibilities
- Monitoring data processing practices for compliance
- Performing compliance audits
- Cooperating with the relevant data protection authorities
- Receiving requests and correspondence from data subjects
- Keeping records of data processing activities and providing them upon request
The bottom line: a DPO is a critical part of an organisation’s GDPR compliance efforts and often a full-on job. They also assume a public-facing role and receive communications from data subjects. Your GDPR EU Representative is just a go-between for you and the EU.
Can a DPO Fulfill the EU Representative Role?
In theory, they can. Nothing in the law prevents a DPO from also serving as an EU Data Representative. But there aren’t any recitals that say you can do it either. And it isn’t encouraged.
The Irish Data Protection Commissioner (DPC) has attempted to answer the question. It considers the dual role an option in limited cases. However, you still need to make sure that your DPO fulfils its original purpose and avoids anything that may present a conflict of interest.
Before merging the two roles, know this: the Irish DPC also said that a conflict of interest would likely arise due to the DPO’s need to communicate with data subjects. So, you should nominate two differently.
Want to get your organisation an E.U. representative? Feel free to contact us here or at firstname.lastname@example.org