The GDPR (General Data Protection Regulation) is characterised by its widespread departure from previous European data protection laws – and one area where this is particularly the case is the scope of its application.
Not only does the GDPR apply to processing activities carried out within the EU but it also applies to data controllers and processors worldwide who process EU residents’ data where such processing relates to:
- Offering goods or services; or
- Monitoring their behaviour (if that behaviour takes place within the EU).
GDPR provides that such non-EU organisations processing EU personal data must appoint an EU Representative.
What is an EU representative?
An EU representative is a natural or legal person appointed to represent a data controller or processor that does not have its main place of business or is not established within the EU or EEA.
For a data controller or processor to be established in the EU they must have a branch or office within the EU.
Therefore, if you are a data controller or processor that undertakes one or both of the activities described and you do not have a presence in the EU or EEA, in all likelihood you will be required to appoint an EU representative unless certain exceptions apply.
Those exceptions are:
- Your organisation is a public authority.
- Where data processing activity is occasional, does not pose a high risk to the rights and freedoms of individuals and does not involve special category data or data relating to criminal convictions.
Who can be an EU representative and what is their role?
An EU representative can be a natural or legal person established within the EU who is available to represent data controllers situated outside the EU or EEA.
Your EU representative must be appointed in writing, setting out your relationship and the scope of their obligations. They should act on behalf of the controller or processor by:
- Being the contact in addition to or instead of the data controller or processor for all communications from supervisory authorities and data subjects on matters relating to the processing of personal data and with regard to their obligations under the GDPR; and
- Maintaining a record of processing activities under the responsibility of the data controller or processor as provided for by Article 30 of the GDPR.
The European Data Protection Board Guidelines 3/2018 on the GDPR’s territorial scope make clear that data controllers and processors not based in the EU need to appoint an EU.
Brexit and the EU representative
If your organisation is UK based and carries out processing activities such as monitoring the behaviour of, or offering goods and services to, EU residents, and you intend to do so after Brexit, you will most likely require an EU representative to be based in the EU or EEA.
Selecting an EU representative
Any natural or legal person based in an EU member state within which you collect personal data can be an EU representative.
The representative must be based where at least some of the data subjects whose data you are processing are located. For example, if you have customers in Ireland, Spain and France, your EU representative must have a presence in one of those countries.
If you’re looking for help finding an EU representative, we are here to help.
You can find an EU representative quickly and easily with the help of our sister company GRCI Law.
With our EU Representative Service, our team of lawyers, barristers, and information and cyber security experts will take the strain of GDPR compliance, acting as your representative for personal data processing activities.
A version of this blog was originally published on 8 April 2019.