An EU Representative for data protection is a person or organisation appointed to act on behalf of an organisation. It is a role defined under the General Data Protection Regulation (GDPR), Article 27; which sets out that they serve as the first point of contact for EU Data Subjects and Regulators.
Under the most basic arrangements, they will liaise with the organisation that has appointed them, forwarding any complaints and responses between the parties. The appointment of a representative also will enable an organisation to comply with the requirements for international transfers, mainly establishing means that enable Data Subjects to enforce their rights.
Under the current guidance from the European Data Protection Board (EDPB), it is not deemed to be compatible with the role. As under GDPR, Data protection officers are required to be given autonomy within an organisation, which is in conflict with the EU Representative as they are required to act in accordance with the mandate outlining their appointment.
You will need to appoint an EU Representative if you are an organisation outside of the European Economic Area (EEA) and are processing the data of European Data subjects outside of the EU. This might either be through the course of your own business activities or when processing the data on behalf of another party and thus is part of your obligations to provide data subjects with the ability to enforce their rights.
Though under GDPR Art. 27, exceptions can be made if the organisation falls under one of two categories. If they are not regularly processing EEA Citizen data on a large scale, or if they are a public authority or organisation, then they will not be under any obligation to appoint a representative.
If you are a company based in a country in which the EU has deemed adequate in terms of its data protection safeguards, such as Argentina, Canada, Israel Andorra, Faeroe Islands, Guernsey, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay, then the transfer of data is permitted without the requirements for extra safeguards in place, such as binding corporate rules, or contracts that establish protections for Data Subjects. But this does not remove the need for a representative, if they lack a presence in the EU or EEA, they will be required to have a representative in accordance with Art 27.
Under Art. 27, which establishes the legal foundation for this role, it also outlines how a representative is to be appointed. They are to be appointed in writing, which will also set out the scope of their mandate. This will at minimum enable them to be the first point of contact for any European complaints. The appointment of a representative, will not absolve the organisation of any liability in relation to their own obligations.
Under Art. 27, it states that representatives need to be based in the member states where the organisation is offering goods and services, that requires the processing of personal data. However, under the guidance from the EDPB, it is stated that if goods and services are being offered in multiple EEA Countries, they will only need to appoint one representative so long as it is in one of the Countries they are offering goods and services in.
The scope of the appointment, which will outline the representative’s duties and obligations, will also require some coordination on other matters. This will require some initial coordination to set up lines of communication and policies for the verification of and Data Subject Requests, and how regulators should be communicated to, along with the requirements to disclose any confidential information that has been requested. By having these arrangements set out at the start, it will enable swift responses to Data Subjects and regulators.
Yes, however, this is also dependent on whether or not you maintain a presence within the EU. If you are just providing goods or services, which requires the processing of EU Citizens’ personal data without having an EU presence, then you will be subject to the obligations under Article 27. However, these obligations will not be immediately imposed on the exit date of the 31st of January.
After the end of the transition period, EU Representatives based in the UK will no longer be able to provide their services for Europe as a whole. As the UK will no longer be part of the EU, this will even be the case if the UK leaves with an agreed deal shaping the future relationship with the EU.
The current approach in the UK, from both the government and ICO, indicates retention of many of the data protection principles in the pursuit of an adequacy decision at the end of the transition process. In light of this approach, the ICO in its guidance on this states that for organisations outside of the UK without a presence will require a Data Protection Representative for the UK and a separate one for the EU.