How do organizations that do not have an establishment in the EU comply with EU GDPR? Do they need to appoint a Data Protection Officer (DPO) or an EU representative? Let us delve into these questions in this article that is based on a conversation between Richard Merrygold and Punit Bhatia in the FIT4PRIVACY Podcast.
For companies that are established outside of the EU and aim for GDPR compliance, it is essential to know that Article 27 of EU GDPR requires companies outside the EU to appoint an EU representative if they process personal data relating to offering goods or services to or monitoring the behavior of individuals in the EU. The EU representative's role is to serve as a point of contact for both local data protection authorities and individuals. So, let us start with what is the role of an EU representative, if you must appoint one and how can you appoint one?
An EU representative is the point of contact for EU data subjects (for queries relating to their rights and freedoms, or processing of their personal data) and data protection supervisory authorities. The representative acts on behalf of a controller or processor with regard to their obligations under the GDPR.
Yes, if your company is offering goods or services to or monitoring the behavior of individuals in the EU and will process the personal data of such individuals. As this is mentioned in Article 27 of EU GDPR, the appointment of an EU Representative is a legal obligation. This shall be applicable for both controllers and processors.
An EU Representative's primary role is to serve as the local "point of contact" for data protection supervisory authorities and data subjects (i.e., the individuals who are served by your company).
Your EU Representative must be doing the following in summary:
Making communication with your data subjects easier
It enables the data subject to exercise their data protection rights effectively, such as passing on a data subject's subject access request to you. The EU Representative is not responsible for acting on the recommendation of a data subject; this is your responsibility.
It is a joint responsibility between you and your EU Representative. The record's content remains your responsibility, and you must keep an up-to-date record of processing activities (ROPA). You must also notify your EU Representative of any updates to the record of processing activities so that he/she can stay up to date.
Local regulators can contact your EU Representative directly to discuss European data protection issues. Your representative, who will respond on your behalf following your instructions, will forward these communications to you.
EU General Data Protection Regulation (GDPR) was adopted as the privacy law for the EU countries in 2016 and it came into effect on May 25, 2018. The GDPR applies throughout Europe and outside of E.U. borders, i.e. globally. The EU GDPR's goal is to strengthen both data subjects' rights and the obligations of controllers and processors. Of course, there are significant financial penalties, which can amount to up to 20 million euros or 4% of global annual turnover, whichever is higher. These fines apply irrespective of whether your company is a controller or processor.
In terms of applicability of EU GDPR, it does not matter where your company is based. The EU GDPR will apply to your company if your company processes the personal data of EU residents as part of providing services to individuals who are EU residents. This means, that regardless of where your company is based, GDPR can apply to you.
Now let us put things into the context of Brexit. Article 27 of EU GDPR requires companies outside the EU to appoint a representative if they process personal data when offering goods or services or monitoring the behavior of individuals in the EU member states.
With the UK implementing its own version of the GDPR, which provides for the same responsibility in a UK-only context, companies would also need to consider appointing a UK Representative. So, there are now two legal provisions that could compel companies to appoint a representative in either the EU or the UK, or even both. Whether based in the EU the UK or elsewhere, most businesses should think about the implications.
For example, if a US company does business with in the EU, which is a common practice, the US company would be subject to the requirement of designating a local representative under Article 27 if the US company collects personal data directly from persons in the EU relating to the offering of services, such as through a consumer-facing website.
The duties of an EU representative may sound similar to those of a DPO (Data Protection Officer), but the two should not be confused.
When it comes to EU GDPR requirements, an EU representative is tasked with representing non-EU-based organizations. However, a DPO, on the other hand, is an independent expert who assists in the facilitation and assessment of the organization's compliance practices. DPO is in charge of ensuring compliance and advising organizations on how to meet their data protection obligations.
Only UK organizations that monitor or offer goods or services to EU residents must appoint an EU representative.
Suppose you only do business with customers in the United Kingdom, in that case, you do not need to appoint an EU representative because your customers will no longer be EU residents as soon as the UK exits the EU. However, if your data processing or monitoring extends to other an EU member state, you will almost certainly be required to appoint an EU representative. Organizations with an office in the EU and employees based in the EU are exempt.