Firstly, what is the General Data Protection Regulation (GDPR)? And who is it that really needs an EU Representative?
The General Data Protection Regulation (GDPR) provides a level of international protection for the personal data of EU citizens under Article 3.
Article 3 outlines that GDPR will apply to companies that are processing EU Citizens outside of the European Economic Area (EEA). GDPR imposes a variety of obligations, such as ensuring that they apply the core data protection principles and treat the data as is required by the GDPR.
This issue also comes into play for companies and organisations that are involved in the international transfer of data.
To assist with accountability, the GDPR establishes the role of the EU Representative under Article 27. The role of the EU Representative is a role distinct from that of a Data Protection Officer (DPO) for a variety of reasons.
What does an EU Representative do?
The main focus of the EU Representative is to be the first point of contact for data subjects and regulators who need to contact the organisation outside of the EEA and
to act in accordance with the instructions that form part of the mandate appointing them.
While Data Protection Officers (DPOs) are expected to be given a degree of autonomy in order to enable them to carry out their duties effectively and advise on the compliance issues relating to data protection.
Top 3 key roles of an EU Representative
In essence, the role of the EU Representative is a simple one and includes:
- To be the first point of contact in Europe.
- To receive any complaints and communications in Europe and forward these onto the relevant person within the organisation.
- To liaise between the parties involved with a complaint and provide any assistance when required.
Though all activities they assist with should be dealt with under the written mandate, along with this, the appointing organisation should set out procedures and the correct lines of communication, so that all parties involved are aware of their duties and manage responses in line with the deadlines that are expected under the law.
When do you need to appoint an EU Representative?
This means that for compliance, companies that are operating outside of Europe by trying to market or offer goods or services in Europe must appoint an EU Representative.
If they are NOT:
- a public authority or body
- and they are regularly processing personal data on a large scale
- or processing sensitive data.
There are some areas in which confusion can arise then appointing an EU Representative, such as where they are required to appoint one, whether in any member state.
Will just one EU Representative be sufficient?
The European Data Protection Board (EDPB) outlined in its guidance, that it must be in the member state that they are offering goods and services, though in the case where it is being offered across multiple countries in the EEA, they do allow for the EU Representative to be based in only one of those countries.
This enables companies seeking to appoint an EU representative an easier and more cost-effective route, as appointing a representative in every member state would make it costly and increase the complexity of such an operation.
Some companies might be exempt for another reason; however, this is when they are established in the EU with a subsidiary and that subsidiary is directly involved with the processing activities.
However, the EDPB guidance states that if the subsidiary is not involved with the data processing activity, then you are required to appoint an EU Representative.
However, the subsidiary can be appointed to be the representative in theory if it is operating in one of the states in which you are offering goods and services. If that is not the case, then appointing an independent representative in another state will be required.
3 tips for choosing the right EU Representative
Once the appointment of an EU Representative has been made, there are a few things that need to be done to ensure the smooth operation when handling the requests and complaints.
Dealing with complaints and procedures
The other area that needs to be discussed between the company and its representative is the key procedures and lines of communication that need to be set up for a responsive system to be put in place, such as verifying the responses from data subjects.
This forms the basis for the appointment of the EU Representative, there are several key points to be aware of when doing so:
- The EU Representative needs to be given an explicit mandate in writing and outlining the scope of their duties.
- An EU Representative is a role and appointment distinct from that of a DPO, they are to operate within the scope of the duties set out in their mandate. They are not really supposed to advise or implement anything in regard to GDPR compliance.
- When appointing a representative, they must be appointed in one of the member states that the company is offering goods or services in.
So there you have it.
If your business is based outside the EU, but you “conduct business in the EU”; you need to appoint an EU Representative
Ready to appoint an EU Representative for your organisation?
Seers can help you protect yourself by complying with the General Data Protection Regulation (GDPR) by using our excellent EU Representative Service.