There still seems to be a great deal of confusion for some businesses regarding whether or not they’re required by the GDPR to designate a representative in the EU or EEA (European Union or European Economic Area). Hopefully, this will help clarify it for some. Keep in mind, though, that like many GDPR compliance questions, there is a fair amount of subjective analysis that enters into it… and it will be the opinion of the Supervisory Authority that carries the day.
Which Entities Need to Designate a Representative?
From the standpoint of our UK readers, until Brexit occurs, there are currently two categories of entities facing this question: entities in the UK and those non-UK entities that are located outside of the EU. After Brexit, however, for all intents and purposes, an entity that is currently UK-based will become a non-EU/EEA entity. Thus, for instance, a UK-based entity will be faced with the same requirements as one based in the US, Canada or any other non-EU/EEA country.
Note: For GDPR compliance purposes, an “entity” isn’t necessarily only a business – even a personal blog is an “entity” with the potential of being subject to the GDPR.
So again, if your entity is in the UK, after Brexit, any UK-based controller or processor which is offering goods or services to – or monitoring the behavior of – individuals located in the EEA and which has no office, branch or other establishment in the EEA, it may be required to designate a European representative.
There are some exceptions, however…
While Article 27 of the GDPR states that a representative inside the Union must be designated in writing by a controller or processor, Art. 27, para. 2 also calls out certain conditions under which that requirement does not apply:
“… shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.
In the above, “occasional”, “on a large scale” and “unlikely to result in a risk” are the important terms that can be subjective. So if you feel that the nature of your processing activities exempt you of the mandate, I would suggest you err on the side of caution. If you feel you can make an argument to justify your exemption, the very need to argue for such exemption could be enough to make your stance questionable. The EU Commission can almost be guaranteed to lean heavily in favor of data subjects, so if you’re in this position, you might be well advised to seek competent legal advice.
Special categories of personal data are clearly delineated in Article 9 of the Regulation.
An example of another exception can be a situation in which a US-based company provides cloud storage or an SAAS solution to a EU-based manufacturer of industrial goods, because the US company is not providing goods or services to data subjects, only to companies. This determination must be made very carefully, however, to ensure the US company is, indeed, exempt.
Where are Representatives Required?
The entity’s representative must be located in an EU or EEA member state where some of the individuals whose personal data is being processed are located. If a representative is required, they must be located in one of the EEA Member States where the affected data subjects are located (not in every state served, as I’ve seen some people say – only in one).
How Must the Representative be Presented?
The representative must be clearly identified to both data subjects and to the Supervisory Authority, to be addressed in addition to or instead of the controller or processor. This means the representative will be designated as the primary point of contact for anyone, on any processing or compliance issues.
What are the Responsibilities of the Representative?
Per Recital (80) in the Regulation, “The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation.”
This means that the Representative should have the full authority of the controller or processor to receive all relevant communications and forward to the controller or processor any and all issues dealing with processing or compliance issues.
However, the designation of a Representative does not relieve the controller or processor of any of their explicit responsibilities under the Regulation. Both may be held responsible, jointly and severally, for failure to comply with the Regulation.
Some duties of the Representative, in addition to being the primary point of contact for data subjects and Supervisory Authorities, in regard to GDPR compliance issues – the Representative:
- Shall maintain records (provided by the company) of processing activities;
- Shall, upon request, cooperate with the Supervisory Authority;
- Shall receive inquiries and complaints from data subjects and Supervisory Authorities and forward them to the appropriate controller or processor.
Representatives can be held responsible for failure to comply with the Regulation, but only inasmuch as their own actions are involved.
A Dearth of Representatives
Because there are so many non-EU/EEA companies which will be required to designate a representative within the EU, there is a severe shortage of qualified representatives. If you determine that your company must appoint a representative, choose carefully, so you don’t find yourself getting crossways of the GDPR because of misplaced confidence.