Many organisations working with European residents are not actually based in Europe. They have offices in other locations and from there sell into the EU. In this post we explore the options of representatives for these kind of businesses.
The GDPR applies to anyone who processes data from data subjects in the EU (we are talking in a business sense here, there are exceptions in Article 2.2). It makes no difference whether you or your HQ is based elsewhere, once you are either established in the EU or targeting data subjects who are in the EU, the GDPR applies to your organisation.Let’s look at the legal text. The GDPR describes the territorial scope in article 3:
- Processing of personal data when a controller or processor is established in the EU.
- Processing of personal data of data subjects residing in the EU (relating to offering goods or services or monitoring behaviour).
- Processing of personal data by a controller not established in the EU but in a place where member state law applies.
When we talk about processing, we talk about anything you do with data. This includes monitoring, lead generation or sales management where you gather, store, segment, review, research or even just hold data in your CRM and much more. It’s also important to note also that the GDPR applies to data subjects in a B2C as well as B2B context.
Most international organisations are aware of this and are preparing themselves for GDPR compliance. However, many are not aware of article 27. This article outlines the requirement for organisations with no European office to appoint a representative in the EU.
When do you need a European representative?
You need a European representative when you do not have physical offices established inside the EU. Even when you appoint a DPO in your headquarters. There are a few exemptions to this rule.
You do not need to appoint a representative when the processing of personal data is occasional, when it doesn’t include, on a large scale, processing of special categories of data or processing related to criminal convictions or offences and, finally, when processing is unlikely to result in a risk to the rights and freedoms of the natural persons whose data you are processing.
Now the GDPR doesn’t give a description of what ‘occasional’ processing means. We could dedicate an entire blog to this topic alone but it’s worth closely looking at your organisation’s activities when making a call on this.
What is the difference between the DPO and the representative?
The EU representative doesn’t replace the need for a DPO. A DPO is an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR. Several qualification criteria apply. A DPO can be an external resource but often isn’t. The requirements for the DPO are much stricter and the DPO needs access to your organisation in order to ensure compliance.
This is what the Article 29 Working Party (advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission) has to say about the role and physical location of the DPO:
“To ensure that the DPO is accessible, the WP29 recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union.”
“As a possible exception, the WP29 allows that in some situations, where the controller or the processor has no establishment within the European Union, a DPO may be able to carry out his or her activities more effectively if located outside the EU”
Where the DPO is responsible for assisting the controller in becoming and remaining compliant, the representative’s focus is on communicating with the Supervisory Authorities (SA or Data Protection Authorities) as well as the data subjects involved. Essentially, Article 27 ensures that both the SA and the data subjects have easy access to a contact person for the controller in Europe.
What are the requirements for appointing a representative?
Your EU representative should first of all be based in the EU. It can be a natural or a legal person but it's important that they are easily accessible for your customers and your prospects, essentially anyone whose personal data you process.
It would be ideal for your EU representative to be established in a member state where many of your data subjects are based but since this isn't always feasible, we recommend that you offer straight forward ways of contacting your EU representative. The legal text states: "The representative shall be established in one of the Member States where the data subjects (...) are." (27.3)
Your EU representative should have a good understanding of the GDPR and be able to facilitate communication between the SA and the organisation as well as respond to your data subjects. Support in multiple languages is a plus as it makes engaging with them easier for your data subjects.
You need to appoint the EU representative in writing and when doing so, make your records of processing (Article 30 requirements, for example a Data Processing Inventory) available to them. After the agreement is in place, you should publish the name and contact details of your EU representative available on your website, we recommend to include them in the privacy statement on your website.
What are the tasks of this representative?
As mentioned above, the main task of the representative is to facilitate communication with the SA and the data subjects.The representative doesn’t have to be a lawyer or IT specialist but they should be well aware of the GDPR and how the regulation impacts the organisation.
Tasks for the representative could include:
- Maintaining records of processing
- Acting as a contact person in case of access or removal requests by data subjects
- Answering questions from or contacting the relevant Supervisory Authority
If you believe your organisation needs an EU representative, it’s important to keep in mind that the representative doesn’t solve your obligation to be compliant. Article 27 states that the representative acts either instead of or in addition to the controller and does not affect the responsibility or liability for the GDPR.