Punit Bhatia

Understanding the role of the GDPR EU representative

Drag to resize

How do organizations that do not have an establishment in the EU comply with EU GDPR? Do they need to appoint a Data Protection Officer (DPO) or an EU representative? Let us delve into these questions in this article that is based on a conversation between Richard Merrygold and Punit Bhatia in the FIT4PRIVACY Podcast.


For companies that are established outside of the EU and aim for GDPR compliance, it is essential to know that Article 27 of EU GDPR requires companies outside the EU to appoint an EU representative if they process personal data relating to offering goods or services to or monitoring the behavior of individuals in the EU. The EU representative's role is to serve as a point of contact for both local data protection authorities and individuals. So, let us start with what is the role of an EU representative, if you must appoint one and how can you appoint one?

What is the role of an EU Representative?

An EU representative is the point of contact for EU data subjects (for queries relating to their rights and freedoms, or processing of their personal data) and data protection supervisory authorities. The representative acts on behalf of a controller or processor with regard to their obligations under the GDPR.

Do you need an EU representative?

Yes, if your company is offering goods or services to or monitoring the behavior of individuals in the EU and will process the personal data of such individuals. As this is mentioned in Article 27 of EU GDPR, the appointment of an EU Representative is a legal obligation. This shall be applicable for both controllers and processors.

What are the responsibilities of the EU Representative?

An EU Representative's primary role is to serve as the local "point of contact" for data protection supervisory authorities and data subjects (i.e., the individuals who are served by your company).

Your EU Representative must be doing the following in summary:

Making communication with your data subjects easier

Making communication with your data subjects easier

It enables the data subject to exercise their data protection rights effectively, such as passing on a data subject's subject access request to you. The EU Representative is not responsible for acting on the recommendation of a data subject; this is your responsibility.

You are maintaining a log of your processing activities. 

It is a joint responsibility between you and your EU Representative. The record's content remains your responsibility, and you must keep an up-to-date record of processing activities (ROPA). You must also notify your EU Representative of any updates to the record of processing activities so that he/she can stay up to date. 

Receiving messages from EU supervisory authorities/regulators. 

Local regulators can contact your EU Representative directly to discuss European data protection issues. Your representative, who will respond on your behalf following your instructions, will forward these communications to you.

What is GDPR? And who does it apply to?

EU General Data Protection Regulation (GDPR) was adopted as the privacy law for the EU countries in 2016 and it came into effect on May 25, 2018. The GDPR applies throughout Europe and outside of E.U. borders, i.e. globally. The EU GDPR's goal is to strengthen both data subjects' rights and the obligations of controllers and processors. Of course, there are significant financial penalties, which can amount to up to 20 million euros or 4% of global annual turnover, whichever is higher. These fines apply irrespective of whether your company is a controller or processor.

In terms of applicability of EU GDPR, it does not matter where your company is based. The EU GDPR will apply to your company if your company processes the personal data of EU residents as part of providing services to individuals who are EU residents. This means, that regardless of where your company is based, GDPR can apply to you.

Read this for more on EU GDPR, click here

The obligation to appoint an EU Representative

Now let us put things into the context of Brexit. Article 27 of EU GDPR requires companies outside the EU to appoint a representative if they process personal data when offering goods or services or monitoring the behavior of individuals in the EU member states.
With the UK implementing its own version of the GDPR, which provides for the same responsibility in a UK-only context, companies would also need to consider appointing a UK Representative. So, there are now two legal provisions that could compel companies to appoint a representative in either the EU or the UK, or even both. Whether based in the EU the UK or elsewhere, most businesses should think about the implications.
For example, if a US company does business with in the EU, which is a common practice, the US company would be subject to the requirement of designating a local representative under Article 27 if the US company collects personal data directly from persons in the EU relating to the offering of services, such as through a consumer-facing website.

What is the difference between an EU representative and a Data Protection Officer?

The duties of an EU representative may sound similar to those of a DPO (Data Protection Officer), but the two should not be confused.
When it comes to EU GDPR requirements, an EU representative is tasked with representing non-EU-based organizations. However, a DPO, on the other hand, is an independent expert who assists in the facilitation and assessment of the organization's compliance practices. DPO is in charge of ensuring compliance and advising organizations on how to meet their data protection obligations. 

Is it necessary for UK organizations to have an EU representative?

Only UK organizations that monitor or offer goods or services to EU residents must appoint an EU representative.

Suppose you only do business with customers in the United Kingdom, in that case, you do not need to appoint an EU representative because your customers will no longer be EU residents as soon as the UK exits the EU. However, if your data processing or monitoring extends to other an EU member state, you will almost certainly be required to appoint an EU representative. Organizations with an office in the EU and employees based in the EU are exempt.

What about companies based outside the EU and the UK?

Companies outside the EU and the UK must carefully consider whether they need to appoint a UK representative under the new UK provisions. They may need to select two representatives now to comply with both EU GDPR on the one hand and the UK GDPR on the other. If the company has already established a European representative, but this representative does not have a presence in the UK, the company must appoint a second UK representative. The same is true for companies whose European representative is based in the UK but has no presence in the EU. They may now be required to appoint an EU representative established in the EU. And, if you still have doubts, you can contact us and we shall help you in clarifying this..

How can you appoint an EU representative for your company?

For companies that do not have an establishment in the EU, we at FIT4PRIVACY provide you with an EU Representative as a service. Contact us at hello@fit4privacy.com, and we shall help you to appoint an EU representative. Of course, you can choose any other company as well. We can also help you with other obligations in the context of the processing of personal data while clarifying whether your company plays the role of controller or processor.

Conclusion

EU GDPR compliance can provide many opportunities for businesses in terms of competitiveness, consumer confidence, and overall good reputation. If your company provides services and products to EU residents, and your company does not have an establishment in the EU, you must appoint an EU representative right away by contacting us. And do remember that while you appoint a representative, you also take other necessary steps to ensure privacy and data protection compliance in line with applicable data protection laws like EU GDPR.

About Punit Bhatia

Punit Bhatia is one of the leading privacy experts who helps CXOs and DPOs to identify and manage privacy risks by creating a privacy strategy and implementing it through setting and managing your privacy program and providing scenario based training to your key staff. In a world that is digital, AI-driven, and has data in the cloud, Punit helps you to create a culture of privacy by establishing a privacy network and training your company's management and staff. For more information, please click here.

About Richard Merrygold

Richard Merrygold, Data Protection Officer at iStorm Solutions, who has spent the last 9 years working across the healthcare, pharmaceutical, technology, and financial service sectors. Richard was formerly the Director of Data Protection at Homeserve and has featured as a regular speaker at various conferences.

Listen to the top ranked EU GDPR based privacy podcast...

Stay connected with the views of leading data privacy professionals and business leaders in today's world on a broad range of topics like setting global privacy programs for private sector companies, role of Data Protection Officer (DPO), EU Representative role, Data Protection Impact Assessments (DPIA), Records of Processing Activity (ROPA), security of personal information, data security, personal security, privacy and security overlaps, prevention of personal data breaches, reporting a data breach, securing data transfers, privacy shield invalidation, new Standard Contractual Clauses (SCCs), guidelines from European Commission and other bodies like European Data Protection Board (EDPB), implementing regulations and laws (like EU General Data Protection Regulation or GDPR, California's Consumer Privacy Act or CCPA, Canada's Personal Information Protection and Electronic Documents Act or PIPEDA, China's Personal Information Protection Law or PIPL, India's Personal Data Protection Bill or PDPB), different types of solutions, even new laws and legal framework(s) to comply with a privacy law and much more.
Created with