What is an EU Representative and why do I need one?
Why is it cheaper to buy online?
Our administrative costs of processing an online purchase are much lower than for an offline purchase and we pass those savings on to you.
What does an EU representative do?
The EU representative’s role is to ensure that individuals (data subjects) and data protection authorities (supervisory authorities) have a mechanism which allows them to communicate with organisations. A key driver behind this is to make sure that EU citizens will be able to contact the data processors and controllers outside Europe who hold their personal data in a quick, efficient and simple way.
Who needs to appoint one?
Put simply, under Article 27 of the EU GDPR if your organisation has no business presence in Europe ( - the 27 members states of the European Union as well as Iceland, Norway and Lichtenstein in the European Economic Area -) you need to appoint an EU representative if:
- You offer goods or services to individuals in Europe; or
- Monitor the behaviour of individuals in Europe.
What does monitoring the behaviour of individuals mean?
Monitoring or “profiling” within the GDPR framework means anything you do that involves the automated analysis or predicting of behaviour of individuals, their movements, personal preferences, health, economic situation etc.
Are there any exceptions to this?
There are limited exceptions to this, depending on the volume and type of data you are processing or whether you are a public body or authority. However, the extent to which exceptions apply has not yet been tested.
When should I put this in place?
The requirement to put an EU representative in place has been a requirement for organisations based outside Europe since the introduction of GDPR. What has changed, is that since the 1st January 2021 the UK is no longer a member state of the European Union so UK based organisations that don’t have a business presence in Europe but are marketing to Europe or monitoring the behaviour of people in Europe now need an EU representative.
Why is it important to act now?
As details of the EU representative need to be easily accessible, typically in your privacy documentation, - for example your customer facing privacy notice or published on your website - it is obvious if you have failed to meet your Article 27 obligations. If you are in breach of Article 27 you may face fines of up to ten million Euros or 2% of your global turnover.
Hasn’t the transition period been extended
The transition period doesn’t apply to the appointment of an EU representative. The transition period is in place to allow the free flow of data between the EU and UK while the EU Commission continues to assess the UK’s application for adequacy. This transition period is in place until 30 April 2021 with an option to extend until 30 June 2021.
What is included in the service and how much does it cost
What is included in the service?
We act as a communications conduit between data subjects and your organisation and data protection authorities and your organisation, provide you with an EU representative email address and wording to insert into your privacy notice (s) and hold an up to date copy of your Article 30 record of processing activities, as required by Article 27. We pass any enquiries from data subjects or data protection authorities to you to deal with.
How much will it cost?
This is an annual fixed fee service. Our pricing is based on the size of the organisation and we charge per entity.
Do I need a separate EU representative for all the companies in my group?
We can provide an EU representative for all group entities, but we charge based on the number of entities that need to be included.
Where is your EU representative based ?
Our EU representative service is based in the Republic of Ireland. It is provided by our sister company IT Governance Europe Limited. .
Does it matter where my EU representative is based?
Generally, an EU Representative is appointed in the EU member state where the majority of your customers or clients reside. However, given the global nature of the internet and the possibility of processing customer data from the whole EEA there appears to be no restrictions on hosting your EU representative in one member state.
Do you charge extra depending on the number of data subjects our organisation deals with?
No, we charge a flat fixed fee based on the size of your organisation.
Are translation services included in the price?
We don’t offer translation services. We pass any enquiries from data subjects or data protection authorities to you in the language we received them.
Does the EU representative need to be registered?
It is not required under the regulation but you need to make details of your EU representative easily accessible, for example in your privacy notice or by publishing details on your website.
What should my Article 30 Record contain?
he Article 30 record is a key document for GDPR compliance and should document what data you are processing and why, where data is stored, the volume of data you are dealing with and how it is moving through your organisation. If don’t have an accurate picture then you may not be aware of where your compliance gaps are and where you might be in breach of the GDPR. You also need to have one readily available in case a data protection authority asks to see it.
Our organisation has less than 250 employees am I required to have an Article 30 record?
The exemptions are very limited and haven’t been fully tested. Without an accurate and up to date record of processing activities it is difficult to be assured that you are compliant. It is best practice to have one and we strongly recommend all clients have one and keep it up to date.
Will you review or advise us on our Article 30 Record?
The GRCI Law team can help you with this but it is not included in this service. We would be happy to talk to you about your specific requirements.
How soon do you need my Article 30 Record?
Ideally, as soon as you sign up or as soon as possible.
If a data subject contacts you, do you deal directly with the query?
We pass all enquiries from data subjects to you to deal with along with any enquiries from data protection authorities.
Would you provide the Article 30 record to a data protection authority without consulting us?
We would contact you first before responding to a request from a Supervisory Authority.