You need an EU representative under GDPR… or two, or three… ?

It is not just a rumor that the GDPR boosts privacy advisory and has caused a desperate run on data protection officers. And there might be another job sector that will get more attention very soon: representatives of non-European companies.

The General EU Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and introduce a new to be established position in non-European companies: The representative under Article 27 GDPR.

I linked the entire text of the GDPR below for those of you who like to go into more detail. Nor now jump directly to the main business points that are relevant in my opinion.

Do you have to assign a representative?

Yes, you need one (or more!?, see below) representative(s), if (i) your company is not established in the EU, and (ii) you must abide by the GDPR. Contact your legal adviser, if you are unsure about the latter.

An infringement of the obligation to mandate a representative can lead to administrative fines up to 2% of your annual turn over or 10 mio. EUR, whichever is higher. (Art. 83 (4) a) GDPR)

There is only one exemption of the obligation to mandate a representative that applies to companies: If your processing of personal data occurs occasionally and is unlikely to result in a risk to the rights and freedoms of natural persons. (see below, Article 27 (2) a) GDPR) Obviously, the scope of this exemption is pretty narrow especially for online businesses, because most of them rely on personal data e.g. for personalizing purposes, or they provide data (processing) services.

How do I mandate my representative?

You mandate the representative in writing. The designation should contain the representative’s tasks. You don’t have to inform your competent authority but you must name the representative in your information to the data subject (typically your privacy policy), Article 13 and 14 GDPR and your records of processing activities, Article 30 GDPR.

What are the tasks of the representative?

The representative acts on your behalf, is a direct contact to the authorities and data subjects concerning your data processing and can also be subject to enforcement proceedings in the event of your company’s non-compliance with the regulation. The representative is an authorized agent to receive legal documents (see for instance explicitly in Section 44 German Federal Data Protection Act 2018).

Which skills does the representative need?

The role is not as complex as the role of a data protection officer, because the person must not assess compliance with the GDPR or the like.

The representative tasks are pretty sensitive though and many things can go wro if you/your representative reacts or replies incorrectly to a request of an authority or data subject. That can cause not just legal issues but a PR disaster and damage your reputation.

Therefore, your representative doesn’t need to be a lawyer or IT data security expert, but understand the basics of privacy, your data services and is a reliable person with very good communication skills. I’d recommend a person with a few years of professional experience.

Can I mandate an employee or even a company not associate with my company?

Yes, that is at least not explicitly forbidden. However, you still need a natural person that actually communicates with the authorities and data subjects.

How many representatives do I need?

In my opinion the regulation isn’t clear on that subject:

“The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.” (Article 27 (4) GDPR)

You can either interpret the provision, that you need one representative in each EU Member State, where the data subjects are whose personal data you process. Or you say, that you need just one representative who is responsible for all Member States. The latter seems logic because the Article says “in one of the Member States” and not “in the Member State”. Additionally, the language of the still current Data Protection Directive 95/46/EC sets forth “controller must designate a representative established in the territory of that Member State”. So in my opinion the opposite conclusion is, that under GDPR just one representative is needed for the EU.

However, depending on the size of our company and the scope of data processing it may make sense to mandate more than one representative, because the language barrier and some cultural and legal characteristics in each EU Member State can lead to additional unforeseeable challenges.

Now, good luck in choosing your EU representative(s)!

Dr. Jana Moser

    References:

EU General Data Protection Regulation 216/679

German Federal Data Protection Act 2018 (in German)

Leave a Reply

Your email address will not be published. Required fields are marked *