GDPR & International Businesses: Do you need an EU-based Representative?
The European Data Protection Board (EDPB) recently issued new guidelines related to the obligations on non-EU based businesses which process personal data.
Generally speaking, if you are a business based outside of the European Union and you are caught by the territorial scope of the GDPR (i.e., you are established in the EU or are offering goods and services targeted at a country based within the EU or are carrying out behavioral monitoring or analytics in the EU), then you need to appoint a representative based in an EU member state.
Representatives of controllers and processors
As a quick reminder, a controller is the natural/legal person/body who decides on the purposes of processing personal data (Article 4(7), GDPR), while a processor is the natural/legal person/body who processes the personal data on behalf of the controller (Article 4(8), GDPR).
The EDPB has stressed that if a controller or processor based outside of the EU becomes subject to the GDPR’s territorial scope through the targeting criteria of offering goods services or monitoring behaviour in the EU, and they do not have an office in the EU, they are then under an obligation to appoint a representative in the EU.
If this is not done, the controller or processor would be in breach of the GDPR.
It is worth noting that by appointing a representative because you carry out targeting activities caught by the GDPR does not necessarily mean that you then also become “established” in the EU for the purposes of the GDPR. On this point, the EDPB has advised that appointing a representative does not count as “establishing” yourself in the EU.
Where should my Representative be based?
If you are obliged to appoint a representative, the first thing to check is that your representative is an individual or an entity which must have a business or personal residence in the EU. When you are deciding where to appoint your representative, it is important to note that the representative must reside in one of the Member States in which your data subjects are located.
When deciding on the most appropriate Member State for your representative, you can also have regard to things such as which Member State do you target the most; or where are the majority of your data subjects based.
Can I use my External DPO as a Representative?
The EDPB points out that the function of the representative in the EU is not compatible with the role of an external data protection officer in the EU.
There could be a conflict of interests if, for example, a data protection officer had to represent the controller or processer before the courts in a case about data protection issues. There is no requirement on the controller or representative to notify the appointment of the representative to a supervisory authority. However, data subjects must be informed of the identity of the representative by the controller, and the authority should be able to access this information.
What is the role of a Representative?
The representatives’ role should be to help communication between data subjects and controllers or processors, with the aim that data subjects can enforce their rights effectively. The representative must keep records of any processing done and cooperate with the supervisory authority when required. The responsibility of the controller and processor to respect the GDPR is not alleviated or changed just because an EU-representative has been appointed.
However, in terms of liability on the representative: There is an underlying intention that representatives can be held liable in the same way controllers and processors, with possible administrative fines and penalties imposed on them.
Are there situations where we are exempt from appointing a Representative?
Even if your non-EU business meets the targeting criteria, there may be situations in which you do not need to appoint a representative. According to the GDPR, such situations include:
where you only personal data occasionally;
your processing constitute “large-scale processing”;
your processing does not include “large-scale processing” of sensitive personal data or personal data relating to criminal convictions or offences;
your processing activities are unlikely to result in a risk to the rights and freedoms of data subjects.
If we have to appoint a Representative, how do we go about it?
The GDPR states that the appointment of a Representative of a company which is not based in the EU needs to be done in writing. This means that an oral appointment is not sufficient.
As with many areas of law, it is usually best to ensure that your appointment is properly drafted (for example by a contract), which sets out the scope of the appointment, the key obligations and sets out any liabilities. As well as assisting you to ensure that you are compliant with the GDPR (and are able to evidence this with a written document), setting out an appointment with a robust letter or contract also provides you with legal certainty in the event of any issue or disagreement.
We appreciate that there are quite a few points to take on board when establishing whether your non-EU business needs to appoint a representative.
Whilst the EDPB has set out some key clarifications, it is always worth seeking specialist advice on your specific situation.
Of course, if you need any assistance or require any further clarification, please get in touch with us here.
January 2019, Charlotte Gerrish, Founding Lawyer, Lily Morrison and Marie Montreux, Legal Consultants @ Gerrish Legal.