Need to appoint a GDPR Representative? (Read this first)
If your company has customers in the EU, then you will need to get to grips with the GDPR. If you do not have an office in the EU, then you will probably need an EU Representative. Why? You will definitely lose business and possibly get fined.
Are there any exemptions?
There is one exemption where a non-EU company is not required to have an EU representative. If your company processes personal data ‘occasionally’, and is unlikely to result in a risk to the rights and freedoms of natural persons, then you are exempt. What exactly constitutes ‘occasionally’ remains to be defined.
It is important to note that if you decide that you do not need a representative, you must interrogate this decision and document it. You have to prove that the processing of date is Occasional.
What are the tasks of the EU representative?
The representative acts on behalf of the controller or processor with regard to their obligations under GDPR. The representative acts as a direct contact to the authorities and data subjects (Users/Customers), while also being an authorized agent to receive legal documents. Representatives may also be tasked with maintaining records of processing activities (GDPR Art. 30 (1) and (2)) and making records available to the supervisory authority (GDPR Art. 30(4)). It is important to note that the designation of an EU-based representative does not affect the responsibility or liability of the controller or of the processor under GDPR. Art. 27(4). The Controller or Processor is always accountable.
Who can I choose to be my representative?
The role of representative should not be confused with that of the DPO (Data Protection Officer). Representatives of non-EU companies will not be required to assess GDPR compliance. The representative is not required to be a legal professional, or a data security professional.
However, given that the representative may be required to communicate with authorities and data subjects over a variety of issues, it would be beneficial for the representative to have a good knowledge of GDPR regulations. In addition to this, your GDPR Representative should ideally have a good understanding of your company’s data services - what and how your company uses Data. The GDPR Representative would ideally have professional experience working with authorities in the areas of regulation and compliance.
Is a GDPR Representative the same as a DPO?
This “representative” can be “a natural or legal person established in the EU who, designated by the controller or processor in writing pursuant to Article 27”. A legal person is an individual, company, or other entity which has legal rights and is subject to obligations. This should not be confused with the role of the Data Protection Officer (DPO). The GDPR assigns no major responsibilities to representatives.
Which EU country can a GDPR Representative be from?
The representative must be established in one (only 1) of the EU Member States where the data subjects whose personal data the company processes are located. If the company is processing personal data from more than one EU country – then they can choose their preferred country.
We obviously recommend Ireland. The regulator speaks English and has extensive experience in dealing with technology companies like Facebook, Twitter and Google – to name a few.
The company must appoint the representative "without prejudice" to legal actions that could be initiated against the company itself. Both the company and the representative could be subject to enforcement proceedings. It would seem that the GDPR wants the representative and DPO to be separate persons.
In many cases, the representative will be a 3rd party. It is probable that legal and corporate service providers will have experts providing this service to a number of companies. This is a new role and it will be interesting to see how it evolves.
The GDPR Representative is a Go-between
The representative must serve as the contact point for all issues related to the company’s processing of personal data under the GDPR, including being a contact point for supervisory authorities.
It is the Controller and Processor that must ensure that their chosen Representative has good systems in place to receive communication from data subjects. If a data subject makes a Subject Access Request (SAR) or if the relevant supervisory authority makes a request, it is imperative that the Representative responds to this as per the regulation.
What email addresses are used to communicate?
Do multiple people check that email (if someone is on holidays)?
What is the process for the Representative to communicate with Controller or processor?
There is a lot of procedural work to be done here.
One Stop Shop
Most companies would like to deal with one regulator (one-stop-shop) and the GDPR facilitates this. There is a lot of discussion around existing EU structures but this is just as relevant for companies that do not have a legal entity in the EU.
It is important to note that if a controller/processor, does have a company in the EU and appoints a Representative. They do not have access to the ‘One Stop Shop’ mechanism.
There are options, you can still have a main establishment in the EU.
Legal Obligations of GDPR Representative
Like most aspects of the GDPR, this is unclear. Article 27 does state:
This means that even if a Processor or Controller has a GDPR Representative – they are still accountable. You can outsource the role of the GDPR Representative, but you cannot outsource accountability.If the controller or processor do not appoint a representative, they can “be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”
GDPR Representatives – be warned
In recital 80, the GDPR states:
This is suitably vague and contradictory. In the Article, it states clearly that the Processor and Controller are always accountable but this line at the end of the recital also implicates the Representative.The WP29 will clarify this, I hope. In the meantime, my view (I am not a lawyer) is that enforcement is limited to the Representative not doing their job correctly (see above).It also puts a burden on the Representative to understand the companies they are representing. It is imperative that GDPR representative understands in some detail the Controller or Processor business and their attitude towards data protection.