An EU Representative for data protection is a person or organisation appointed to act on behalf of an organisation. It is a role defined under the General Data Protection Regulation (GDPR), Article 27; which sets out that they serve as the first point of contact for EU Data Subjects and Regulators.
Under the most basic arrangements, they will liaise with the organisation that has appointed them, forwarding any complaints and responses between the parties. The appointment of a representative also will enable an organisation to comply with the requirements for international transfers, mainly establishing means that enable Data Subjects to enforce their rights.
Under the current guidance from the European Data Protection Board (EDPB), it is not deemed to be compatible with the role. As under GDPR, Data protection officers are required to be given autonomy within an organisation, which is in conflict with the EU Representative as they are required to act in accordance with the mandate outlining their appointment.
However, an argument could be made, regarding the appointment of those who understand European Data Protection Law in order to assist with any questions or advice regarding compliance.
You will need to appoint an EU Representative, if you are an organisation outside of the European Economic Area (EEA) and are processing the data of European Data subjects outside of the EU. This might either be through the course of your own business activities, or when processing the data on behalf of another party and thus is part of your obligations to provide data subjects with the ability to enforce their rights.
Though under GDPR Art. 27, exceptions can be made if the organisation falls under one of two categories. If they are not regularly processing EEA Citizen data on a large scale, or if they are a public authority or organisation, then they will not be under any obligation to appoint a representative.
Under Art. 27, which establishes the legal foundation for this role, it also outlines how a representative is to be appointed. They are to be appointed in writing, which will also set out the scope of their mandate. This will, at a minimum, enable them to be the first point of contact for any European complaints. The appointment of a representative will not absolve the organisation of any liability in relation to their own obligations.
Under Art. 27, it states that representatives need to be based in the member states where the organisation is offering goods and services, that requires the processing of personal data. However under the guidance from the EDPB, it is stated that if goods and services are being offered in multiple EEA Countries, they will only need to appoint one representative so long as it is in one of the Countries they are offering goods and services in.
The scope of the appointment, which will outline the representative's duties and obligations, will also require some coordination on other matters. This will require some initial coordination to set up lines of communication and policies for the verification of and Data Subject Requests, and how regulators should be communicated to, along with the requirements to disclose any confidential information that has been requested. By having these arrangements set out at the start, it will enable swift responses to Data Subjects and regulators.