Much of the noise around Brexit has been in and around the trade deal. Data Protection, and the flow of data between the EU and the UK has been mentioned by both the UK government and also the EU.
At the time of writing, there is much sabre rattling with the EU stating that they will expect the UK to align with EU regulations (including the GDPR) and the UK government stating the opposite.
Whilst data flows have been mentioned, one issue that has not is the requirement, for some organisations outside the EU, to appoint what is termed a European Representative.
What is a European Representative? Article 27 of the GDPR states that a company with no EU establishment, whether acting as data controller or processor, which sells products within the EU or actively monitors individuals there, is required to appoint an EU Representative.
There are some exceptions, but the general rule is that if you do not have an EU office and your organisation processes the personal data of individuals within the EU, you are likely to require an EU Representative.
Appointing an EU Representative. Things to consider.
- An organisation’s EU Representative should be established in the EU Member State where the largest number of their data subjects are based;
- Individuals located in EU Member States other than where the EU Representative is established should have easy access to the EU Representative;
- The same company/person cannot act as a Data Protection Officer and EU Representative for the same company. This is due to the risk of a conflict of interest arising;
- For the same reason, a company should not appoint an organisation which also acts as their data processor to be their EU Representative. The Guidelines state only that a controller should not appoint their processor to this role, but it is anticipated it was also intended to cover agreements between processors and sub-processors, so that a sub-processor should not be the EU Representative of their instructing processor, on the basis that all other GDPR obligations are expected to be flowed between those parties as they were between the controller and the primary processor, therefore the same conflicts could arise;
- Only one representative is required to be appointed for each company and there is no need to appoint one representative for each data processing activity undertaken;
- Occasional exemption: the Guidelines apply to interpreting 'occasional' as when considering the duty to prepare Article 30 of the GDPR records of processing. In particular, 'a processing activity can only be considered as 'occasional' if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor;'
- Occasional exemption: when considering the third element of this exemption, whether the 'processing is likely to result in a risk to the rights and freedoms of natural persons,' both the likelihood and severity of that risk should be considered;
OK, so what does and EU Representative do? Guidance from the European Data Protection Board states that the
- the EU Representative has a duty to hold, maintain, and provide to supervisory authorities their clients' Article 30 records of processing activities, although the primary duty for preparing this document rests with the controller/processor which appointed them;
- the EU Representative should in principle communicate with the data subject and EU authority in the language they typically use, unless this results in 'disproportionate effort;'
The EU Representative is also the main point of contact for your European clients and Supervisory Authorities.
About the Author
Stuart Anderson is the CEO of XpertDPO Ltd, a company specialising in Data Protection and Cyber Security. XpertDPO provides Outsourced Data Protection Officer and EU Representative services to a diverse range of clients from the United States to Israel and everywhere in between.
Stuart Anderson / BA (Hons) / CDPO / EU GDPR (F&P IBITGQ)
CEO
stuart@xpertdpo.com
Dublin +353 1 678 8997
London +44 203 9955652
Wicklow +353 404 53906
www.xpertdpo.com