Are you established outside the EU and you process personal data of individuals who are in the Union, offering them goods or services or monitoring their behavior? If the answer is yes, this article will be useful to you since you need to appoint a GDPR representative in the EU.
What is a gdpr representative
This is not an entirely new role since it already existed on the Directive 95/46/EC. It has, however, been subject to changes and it is now defined by Article 4.17 of the GDPR as:
A natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.
It is, in a few words, a point of contact for data protection authorities and data subjects which must be appointed by some controllers and processors to which GDPR applies to.
When should a representative be appointed
According to Article 27 of the GDPR, any entity or organisation established outside the EU that processes personal data of natural persons who are in the European Union, either by making goods or services available or by monitoring their behavior, must appoint a representative in the EU.
However, the law provides for an exception and its appointment is not mandatory when the following three criteria concur:
- the processing is occasional,
- it does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and
- it is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
Furthermore, its appointment will not be necessary where the controller or processor is a public authority or body.
How to designate a GDPR representative in the EU
The GDPR stipulates that its appointment should be done in writing, therefore it cannot be appointed orally. There is no explicit provision concerning whether or not its appointment can be carried out by electronic means.
Who can be named representative under article 27 of the GDPR
The GDPR only requires that the representative is established in a Member State where the data subjects whose personal data is processed are. If you process or may process personal data from any data subject within the EU, you may appoint it in any Member State.
Notwithstanding the above, in those cases where you process personal data of individuals of more than one Member State and most of them reside in one specific State, good practice highlighted by the EDPB on the Opinion 3/2018 on the territorial scope of the GDPR (version for public consultation) is to designate a representative which is established in that same Member State where most of data subjects are.
The gdpr representative may be an external, natural or legal person, but also a subsidiary. Where the representative is a company or organisation, it is recommended that they assign a single individual as lead contact and person in charge.
GDPR representative services and responsibilities
The representative acts under the instructions of the controller or the processor and its main task is to address all issues submitted by the supervisory authorities or data subjects referring to the processing activities.
The above means that, on the one hand, the representative should be the main point of contact for data subjects to provide them with information about the processing of their personal data and also facilitate the exercise of data subject rights. On the other hand, the representative also has the obligation, following the mandate of the controller or processor, to cooperate with the supervisory authorities and make available any information required when requested, included the record of processing activities.
For carrying out the above tasks the regulation allows the controller or processor to come into an agreement with the representative and decide whether the rights will be met solely by the representative or by the controller or processor and the representative jointly.
Furthermore, the law also requires the gdpr representative to maintain an up to date record of processing activities. This task must be carried out jointly with the controller or processor and these have the obligation to provide the representative with accurate and up to date information.
Where the representative service is rendered by an external contractor or a subsidiary, the duties should be specified in a service agreement, making clear where their duties commence and finish.
Finally, take into account that, regardless of the agreements reached, for GDPR it is the controller who has the obligation to attend data subject rights.
Liability of the EU representative
Recital 80 states that the representative designated “should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.
Even though it is not expressly stated by Article 27, everything suggests, and thus have been confirmed by the EDPB and EU Member States local law, that the representative will be held liable for non-compliance with the GDPR of the controller or the processor it represents.
However, a representative which have been fined or compelled to compensate data subjects has the capacity to seek redress. Thus is established by Article 27.5 of the GDPR:
The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Sadly, this might proof very hard to accomplish since the representative most probably will need to seek compensation outside the EU, except arbitration or jurisdiction clauses submitting to a EU Member State have been agreed.
In Spain, Article 30 of the Spanish Data Protection Act (LOPDGDD) makes the controller or processor and the representative jointly and severally responsible to sanctions of the Spanish data protection authority (AEPD) and to data subjects claims for damages.
Compatibility of the representative with the data protection officer (DPO)
Whereas it does not exist an explicit prohibition to accumulate both positions on the same person, it might not be advisable since these might easily enter into conflict.
The representative acts following the mandate received from the controller or processor; the data protection officer acts with independence. This puts in risk the independence of the DPO before those requests of the supervisory authorities in exercise of their inspection capacities.
In addition, liability of a DPO is limited, not holding liability for any infractions of the controller or processor it acts for. The same cannot be said about the representative, therefore it is not convenient to task the same person with both positions.