Does your company need a GDPR Representative in the EU? (7 points to consider).
On top of complying with the GDPR’s broad requirements, companies that do not have a base in the EU - must nominate in writing a representative in the EU (article 27).
1. This “representative” can be “a natural or legal person established in the [EU] who, designated by the controller or processor in writing pursuant to Article 27”. This should not be confused with the role of the Data Protection Officer (DPO). The GDPR assigns no substantive responsibilities to representatives.
2. This role is intended for companies whose processing work is ‘occasional’ and does not involve ‘large scale’ processing or the processing of ‘sensitive data’. It will be up to the company to interrogate if the processing is ‘occasional’ and document their reasons for this decision.
3. The representative must be established in one of the EU Member States where the data subjects whose personal data the company processes are located. If the company is processing personal data from more than 1 EU country – then they can choose their preferred country.
4. The company must appoint the representative without prejudice to legal actions that could be initiated against the company itself. Both the company and the representative could be subject to enforcement proceedings. It would seem that the GDPR contemplates that the representative and DPO will be separate persons.
5. The representative must serve as the contact point for all issues related to the company’s processing of personal data under the GDPR, including as a contact point for supervisory authorities.
6. What is the best jurisdiction for its representative? If the company has data subjects based throughout the EU – then they can choose. Ireland should be a popular choice given the experience of the regulation and that all communication with the regulator will be in English. In many cases, the representative will be a 3rd party. It is probable that legal and corporate service providers will have experts providing this service to a number of companies. This is a new role and it will be interesting to see how it evolves.
7. How important is getting access to the 'one stop shop' mechanism? You can only avail of the 'one stop shop' if you have a place of main establishment. We recently did a blog on how to determine a companies place of main establishment.
For more information on GDPR, feel free to contact us using the form below: