Need to appoint a GDPR Representative? (Read this first)
If your company has customers in the EU, then you will need to get to grips with the GDPR. If you do not have an office in the EU, then you will probably need an EU Representative. Why? You will definitely lose business and possibly get fined.
Are there any exemptions?
There is one exemption where a non-EU company is not required to have an EU representative. If your company processes personal data ‘occasionally’, and is unlikely to result in a risk to the rights and freedoms of natural persons, then you are exempt. What exactly constitutes ‘occasionally’ remains to be defined.
It is important to note that if you decide that you do not need a representative, you must interrogate this decision and document it. You have to prove that the processing of date is Occasional.
What are the tasks of the EU representative?
The representative acts on behalf of the controller or processor with regard to their obligations under GDPR. The representative acts as a direct contact to the authorities and data subjects (Users/Customers), while also being an authorized agent to receive legal documents. Representatives may also be tasked with maintaining records of processing activities (GDPR Art. 30 (1) and (2)) and making records available to the supervisory authority (GDPR Art. 30(4)). It is important to note that the designation of an EU-based representative does not affect the responsibility or liability of the controller or of the processor under GDPR. Art. 27(4). The Controller or Processor is always accountable.
Who can I choose to be my representative?
The role of representative should not be confused with that of the DPO (Data Protection Officer). Representatives of non-EU companies will not be required to assess GDPR compliance. The representative is not required to be a legal professional, or a data security professional.
However, given that the representative may be required to communicate with authorities and data subjects over a variety of issues, it would be beneficial for the representative to have a good knowledge of GDPR regulations. In addition to this, your GDPR Representative should ideally have a good understanding of your company’s data services - what and how your company uses Data. The GDPR Representative would ideally have professional experience working with authorities in the areas of regulation and compliance.
On the 16th of November - 2018 - the EDPD confirmed that the controller/processor should:
in accordance with Articles 13(1)a and 14(1)a, as part of their information obligations, controllers shall provide data subjects information as to the identity of their representative in the Union. This information shall for example be included in the privacy notice or upfront information provided to data subjects at the moment of data collection. A controller not established in the Union but falling under Article 3(2) and failing to inform data subjects who are in the Union of the identity of its representative would be in breach of its transparency obligations as per the GDPR.
So, it should be clear in your Privacy Statement who your representative is and how they can be contacted.
Is a GDPR Representative the same as a DPO?
This “representative” can be “a natural or legal person established in the EU who, designated by the controller or processor in writing pursuant to Article 27”. A legal person is an individual, company, or other entity which has legal rights and is subject to obligations. This should not be confused with the role of the Data Protection Officer (DPO). The GDPR assigns no major responsibilities to representatives.
Which EU country can a GDPR Representative be from?
The representative must be established in one (only 1) of the EU Member States where the data subjects whose personal data the company processes are located. If the company is processing personal data from more than one EU country – then they can choose their preferred country.
We obviously recommend Ireland. The regulator speaks English and has extensive experience in dealing with technology companies like Facebook, Twitter and Google – to name a few.
The company must appoint the representative "without prejudice" to legal actions that could be initiated against the company itself. Both the company and the representative could be subject to enforcement proceedings. It would seem that the GDPR wants the representative and DPO to be separate persons.
In many cases, the representative will be a 3rd party. It is probable that legal and corporate service providers will have experts providing this service to a number of companies. This is a new role and it will be interesting to see how it evolves.
The GDPR Representative is a Go-between
The representative must serve as the contact point for all issues related to the company’s processing of personal data under the GDPR, including being a contact point for supervisory authorities.
It is the Controller and Processor that must ensure that their chosen Representative has good systems in place to receive communication from data subjects. If a data subject makes a Subject Access Request (SAR) or if the relevant supervisory authority makes a request, it is imperative that the Representative responds to this as per the regulation.
What email addresses are used to communicate?
Do multiple people check that email (if someone is on holidays)?
What is the process for the Representative to communicate with Controller or processor?
There is a lot of procedural work to be done here.
One Stop Shop
Most companies would like to deal with one regulator (one-stop-shop) and the GDPR facilitates this. There is a lot of discussion around existing EU structures but this is just as relevant for companies that do not have a legal entity in the EU.
It is important to note that if a controller/processor, does have a company in the EU and appoints a Representative. They do not have access to the ‘One Stop Shop’ mechanism.
There are options, you can still have a main establishment in the EU.
Legal Obligations of GDPR Representative
Like most aspects of the GDPR, this is unclear. Article 27 does state:
This means that even if a Processor or Controller has a GDPR Representative – they are still accountable. You can outsource the role of the GDPR Representative, but you cannot outsource accountability.If the controller or processor do not appoint a representative, they can “be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”
GDPR Representatives – be warned
In recital 80, the GDPR states:
This is suitably vague and contradictory. In the Article, it states clearly that the Processor and Controller are always accountable but this line at the end of the recital also implicates the Representative.The WP29 will clarify this, I hope. In the meantime, my view (I am not a lawyer) is that enforcement is limited to the Representative not doing their job correctly (see above).It also puts a burden on the Representative to understand the companies they are representing. It is imperative that GDPR representative understands in some detail the Controller or Processor business and their attitude towards data protection.
On the 16th of November - 2018 - the EDPD confirmed what it expects of a GDPR Representative:
With the help of a team if necessary, the representative in the Union must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.
As outlined above, this will be a role of some significance. There are 24 languages in the EU and a GDPR represnetative is expected to be able to communicate in all of them. A controller/processor is responsible for ensuring the GDPR Representative they designate is capabale of doing the job. If they controller/processor has data subjects that speak 24 languages - then they need to ensure the Representative is fluent in these languages.
JAMES FERGUSON - Vice President of Revenue, CSI Regulatory Compliance Group.
"As part of our continuing GDPR compliance programme, we identified the need for a GDPR Representative. We were delighted to find Nathan Trust who were able to offer us a smart, straight forward and cost-effective solution. Philip and his team were always super responsive and great to deal with. If you are a US company looking for a GDPR Representative – I am happy to recommend the solution provided by Nathan Trust."