Something unique to the GDPR (General Data Protection Regulation) compared with previous European data protection laws is the scope of its application.
Not only does the GDPR apply to processing activities carried out within the EU but it also applies to data controllers and processors worldwide who process EU residents’ data where such processing relates to:
- Offering goods or services; or
- Monitoring their behaviour (if that behaviour takes place within the EU).
However, it would be difficult for a supervisory authority ( (the Information Commissioner’s Office (ICO) in the UK) to take enforcement action against a data controller or processor based outside of the EU or EEA. Therefore, the concept of an EU representative was introduced to bridge this gap.
What is an EU representative?
An EU representative is a natural or legal person appointed to represent a data controller or processor that does not have its main place of business or is not established within the EU or EEA. For a data controller or processor to be established in the EU they must have a branch or office within the EU.
Therefore, if you are a data controller or processor that undertakes one or both of the activities described and you do not have a presence in the EU or EEA, in all likelihood you will be required to appoint an EU representative unless certain exceptions apply.
Those exceptions are:
- Your organisation is a public authority.
- Where data processing activity is occasional, does not pose a high risk to the rights and freedoms of individuals and does not involve special category data or data relating to criminal convictions.
Who can be an EU representative and what is their role?
An EU representative can be a natural or legal person established within the EU who is available to represent data controllers situated outside the EU or EEA.
Your EU representative must be appointed in writing, setting out your relationship and the scope of their obligations. They should act on behalf of the controller or processor by:
- Being the contact in addition to or instead of the data controller or processor for all communications from supervisory authorities and data subjects on matters relating to the processing of personal data and with regard to their obligations under the GDPR; and
- Maintaining a record of processing activities under the responsibility of the data controller or processor as provided for by Article 30 of the GDPR.
The European Data Protection Board Guidelines 3/2018 on the GDPR’s territorial scope make clear that data controllers and processors not based in the EU need to appoint an EU representative in order to enforce the Regulation effectively. This includes the possibility of an EU representative being held liable and having administrative fines and/or penalties imposed.
Brexit and the EU representative
If your organisation is UK based and carries out processing activities such as monitoring the behaviour of, or offering goods and services to, EU residents, and you intend to do so after Brexit, you will most likely require an EU representative to be based in the EU or EEA. The representative must be based where at least some of the data subjects whose data you are processing are located. For example, if you have customers in Ireland, Spain and France, your EU representative must have a presence in one of those countries.
GRCI Law offers an EU Representative service, whereby we represent our clients in the EU as described in this article.