Will my company get fined for not having a GDPR Representative?
EU regulators have started to hand out fines to non-EU companies that are processing the personal data of EU Data subjects but have not designated a GDPR Representative. On the 12/05/2020 the Dutch Data Protection Authority imposed a €525,000 fine on Locatefamily.com for failure to appoint a representative in the EU as per Article 27 of the GDPR.
Before we can act as your Representative, we will dedicate time to understand your personal data processing activities and your approach to compliance.
Represent you in the EEA - this includes:
- Register our EU address as your GDPR representative address.
- Be named in your privacy notice as a point of contact in the EEA.
- Act on your behalf with European data protection supervisory authorities.
- Be addressed on all issues related to your personal data processing activities.
- Maintain your record of processing activities (ROPA) as required by article 30 of the GDPR.
- Keep you updated with respective changes to EU rules on personal data processing.
Optional Services
We can Provide you with our assessment of your state of compliance with the GDPR. Year 1, this will consist of a Data Privacy Gap Analysis and the any Data Protection Impact Assessments (DPIA) where deemed necessary. In the following years, we can run annual high-level assessments of these documents to ensure they are up to date.
Are there any exemptions?
There is one exemption where a non-EU company is not required to have an EU representative. If your company processes personal data ‘occasionally’, and is unlikely to result in a risk to the rights and freedoms of natural persons, then you are exempt. What exactly constitutes ‘occasionally’ remains to be defined.
It is important to note that if you decide that you do not need a representative, you must interrogate this decision and document it. You have to prove that the processing of date is Occasional.
What are the tasks of the EU representative?
The representative acts on behalf of the controller or processor with regard to their obligations under GDPR. The representative acts as a direct contact to the authorities and data subjects (Users/Customers), while also being an authorized agent to receive legal documents. Representatives may also be tasked with maintaining records of processing activities (GDPR Art. 30 (1) and (2)) and making records available to the supervisory authority (GDPR Art. 30(4)). It is important to note that the designation of an EU-based representative does not affect the responsibility or liability of the controller or of the processor under GDPR. Art. 27(4). The Controller or Processor is always accountable.
You must authorise the representative in writing. The authorisation should contain the representative’s tasks. Currently, you don’t have to inform your Supervisory Authority, but you must name the representative in your information to the data subject (typically your privacy policy), (GDPR Art. 13 and 14) and your records of processing activities, (GDPR Art. 30).
Who can I choose to be my representative?
The role of the representative should not be confused with that of the DPO (Data Protection Officer). Representatives of non-EU companies will not be required to assess GDPR compliance. The representative is not required to be a legal professional, or a data security professional.
However, given that the representative may be required to communicate with authorities and data subjects over a variety of issues, it would be beneficial for the representative to have a good knowledge of GDPR regulations. In addition to this, your GDPR Representative should ideally have a good understanding of your company’s data services - what and how your company uses Data. The GDPR Representative would ideally have professional experience working with authorities in the areas of regulation and compliance.
On the 16th of November - 2018 - the EDPD confirmed that the controller/processor should:
in accordance with Articles 13(1)a and 14(1)a, as part of their information obligations, controllers shall provide data subjects information as to the identity of their representative in the Union. This information shall, for example, be included in the privacy notice or upfront information provided to data subjects at the moment of data collection. A controller not established in the Union but falling under Article 3(2) and failing to inform data subjects who are in the Union of the identity of its representative would be in breach of its transparency obligations as per the GDPR.
So, it should be clear in your Privacy Statement who your representative is and how they can be contacted.
Is the EU representative liable for purposes of enforcement of GDPR
A recent judgement (28/05/2021) of the High Court in the UK indicates clearly that the EU representative is not liable. Mrs Justice Collins Rice concluded that there was no basis in law for the claim to be brought against Lexisnexis (EU Rep), in its capacity as the Article 27 representative of WorldCo (Data Controller) and the claim was struck out.
Further, where the Guidelines address the legal liability of representatives at all, they do so in exclusionary terms, stating: “The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union”.
Is a GDPR Representative the same as a DPO?
This “representative” can be “a natural or legal person established in the EU who, designated by the controller or processor in writing pursuant to Article 27”. A legal person is an individual, company, or other entity which has legal rights and is subject to obligations. This should not be confused with the role of the Data Protection Officer (DPO). The GDPR assigns no major responsibilities to representatives.
Which EU country can a GDPR Representative be from?
The representative must be established in one (only 1) of the EU Member States where the data subjects whose personal data the company processes are located. If the company is processing personal data from more than one EU country – then they can choose their preferred country.
We obviously recommend Ireland. The regulator speaks English and has extensive experience in dealing with technology companies like Facebook, Twitter and Google – to name a few.
The company must appoint the representative "without prejudice" to legal actions that could be initiated against the company itself. Both the company and the representative could be subject to enforcement proceedings. It would seem that the GDPR wants the representative and DPO to be separate persons.
In many cases, the representative will be a 3rd party. It is probable that legal and corporate service providers will have experts providing this service to a number of companies. This is a new role and it will be interesting to see how it evolves.
The GDPR Representative is a Go-between
The representative must serve as the contact point for all issues related to the company’s processing of personal data under the GDPR, including being a contact point for supervisory authorities.
It is the Controller and Processor that must ensure that their chosen Representative has good systems in place to receive communication from data subjects. If a data subject makes a Subject Access Request (SAR) or if the relevant supervisory authority makes a request, it is imperative that the Representative responds to this as per the regulation.
- What email addresses are used to communicate?
- Do multiple people check that email (if someone is on holidays)?
- What is the process for the Representative to communicate with Controller or processor?
- There is a lot of procedural work to be done here.
One Stop Shop
Most companies would like to deal with one regulator (one-stop-shop) and the GDPR facilitates this. There is a lot of discussion around existing EU structures but this is just as relevant for companies that do not have a legal entity in the EU.
It is important to note that if a controller/processor, does have a company in the EU and appoints a Representative. They do not have access to the ‘One Stop Shop’ mechanism.
There are options, you can still have a main establishment in the EU.
Legal Obligations of GDPR Representative
Like most aspects of the GDPR, this is unclear. Article 27 does state:
Legal Obligations of GDPR Representative
This means that even if a Processor or Controller has a GDPR Representative – they are still accountable. You can outsource the role of the GDPR Representative, but you cannot outsource accountability.If the controller or processor do not appoint a representative, they can “be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”
GDPR Representatives – be warned
In recital 80, the GDPR states:
This is suitably vague and contradictory. In the Article, it states clearly that the Processor and Controller are always accountable but this line at the end of the recital also implicates the Representative. The WP29 will clarify this, I hope. In the meantime, my view (I am not a lawyer) is that enforcement is limited to the Representative not doing their job correctly (see above).It also puts a burden on the Representative to understand the companies they are representing. It is imperative that GDPR representative understands in some detail the Controller or Processor business and their attitude towards data protection.
On the 16th of November - 2018 - the EDPD confirmed what it expects of a GDPR Representative:
With the help of a team if necessary, the representative in the Union must, therefore, be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.
As outlined above, this will be a role of some significance. There are 24 languages in the EU and a GDPR representative is expected to be able to communicate in all of them. A controller/processor is responsible for ensuring the GDPR Representative they designate is capable of doing the job. If the controller/processor has data subjects that speak 24 languages - then they need to ensure the Representative is fluent in these languages.