requirement to be a representative

If your business is based outside the EU, but you “conduct business in the EU”; discover why you need to appoint an EU Representative in order to ensure you’re protected & fully compliant with GDPR law.

Firstly, what is GDPR? …And who is it that really needs an EU Representative?

The General Data Protection Regulation (GDPR), provides a level of international protection for the personal data of EU citizens under Article 3.

Article 3 outlines that GDPR will apply to companies that are processing EU Citizens outside of the European Economic Area (EEA). GDPR imposes a variety of obligations, such as ensuring that they apply the core data protection principles and treat the data as is required by the GDPR.

This issue also comes into play for companies and organisations that are involved with the international transfer of data.

To assist with accountability, the GDPR establishes the role of the European Representative under Article 27. The role of EU Representative is a role distinct from the of a Data Protection Officer (DPO …for a variety of reasons. So…

What does a EU Representative do?

The main focus of the European Representative is to be the first point of contact for data subjects and regulators who need to contact the organisation outside of the EEA, and
to act in accordance with the instructions that form part of the mandate appointing them.

While DPOs are expected to be given a degree of autonomy both when they are internal or external a company, in order to enable them to carry out their duties effectively and advise on the compliance issues relating to data protection.

Top 3 Key roles of an EU Representative

In essence, the role of the EU Representative is a simple one and includes:

  • To be the first point of contact in Europe.
  • To receive any complaints and communications in Europe and forward these onto the relevant person within the organisation.
  • To liaise between the parties involved with a complaint and provide any assistance when required.

Though all activities they assist with should be dealt with under the written mandate, along with this, the appointing organisation should set out procedures and the correct lines of communication, so that all parties involved are aware of their duties and manage responses inline within the deadlines that are expected under the law.

When do you need to appoint an EU Representative?

This means that for compliance, companies that are operating outside of Europe by trying to market, offer goods or services in Europe, must appoint an EU Representative.

if they are NOT:

 

 

  •  not a public authority or body
  • and they are regularly processing personal data on a large scale
  • or processing sensitive data.

There are some areas in which confusion can arise with appointing a representative, such as where they are required to appoint one, whether in any member state.

When just one EU Representative will do

The European Data Protection Board (EDPB) outlined in its guidance, that it must be in the member state that they are offering goods and services, though in the case where it is being offered across multiple countries in the EEA, they do allow for the representative to be BASED on only one of those countries.

This enables companies seeking to appoint an EU representative an easier and more cost-effective route, as appointing a representative in every member state would make it costly and increase the complexity of such an operation.

Some companies might be exempt for another reason; however, this is when they are established in the EU with a subsidiary and that subsidiary is directly involved with the processing activities.

However, the EDPB Guidance states that if the subsidiary is not involved with the data processing activity, then you are required to appoint an EU Representative.

However, the subsidiary can be appointed to be the representative in theory if it is operating in one of the states in which you are offering goods and services if that is not the case, then appointing an independent representative in another state.

3 Tips for choosing the right EU Representative

Once the appointment of a representative has been made, there are a few things that need to be done to ensure the smooth operation when handling the requests and complaints.

Dealing with Complaints

First, the representative needs to be listed under the contacts in the privacy policy, in order to enable the data subjects to know who to contact, to make such any requests.

Procedures

The other thing that needs to be discussed between the company and its representative, in order to set up the procedures and lines of communication to be able to have a responsive system in place, and how things should be dealt with, such as verifying the responses from data subjects.

This forms the basis of the appointment of the representative, there are several key points to be aware of when doing so:

  • The EU Representative needs to be given an explicit mandate in writing, outlining the scope of their duties.
  • An EU Representative is a role and appointment distinct from that of a DPO, they are to operate within the scope of the duties set out in their mandate. They are not really supposed to advise or implement anything in regard to GDPR compliance.
  • When appointing a representative, it must be appointed in one of the members states that the company is offering goods or services in.

So there you have it.

If your business is based outside the EU, but you “conduct business in the EU”; you need to appoint an EU Representative.

Ready to appoint an EU Representative for your organisation?

Seers can help you protect yourself by complying with GDPR law by using our excellent EU Representative service.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,