An interesting question facing non-E.U. (or non-EEA ) companies with E.U.-based customers (i.e. data subjects) is what they need to do regarding the European Union General Data Protection Regulation (E.U. GDPR), which goes into effect on May 25th, 2018.
Opinion Piece by Paul Gillingwater, MBA, CISM, CISSP
If the foreign company has a subsidiary or local office in an E.U. country, then that office already likely bears some or all of the responsibility for ensuring that the company complies with GDPR. However, many companies will not have an E.U. office, and therefore may need to appoint an official Representative. This article focuses on what such a Representative will look like, what they will do, and whether one must be appointed or not.
Role of a DPO versus GDPR Representative
Ideally, the Representative should be located in the EU state where most of the customers are based. This is different from the role of Data Protection Officer (DPO). Note that appointment of a DPO is not mandatory under GDPR, unless there is a risk to the rights and freedoms of data subjects (Public authorities may be safely excluded, since they will always be in the applicable home country within the EU).
However, the appointment of a GDPR Representative under these conditions is mandatory (except see below for exceptions.) Foreign (non-EEA) companies are not permitted to do business with EU resident customers without either a local subsidiary (“main establishment”) or a local GDPR Representative. How this will be enforced is a different question, and one that is outside the scope of this article.
According to the Article 29 Working Party, “To ensure that the DPO is accessible, the WP29 recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union.”
The Working Party goes on to advise: “As a possible exception, the WP29 allows that in some situations, where the controller or the processor has no establishment within the European Union, a DPO may be able to carry out his or her activities more effectively if located outside the EU”
Note that this advice is unlikely to change substantively after Brexit for the UK, which will technically be outside of the EU but will remain a full party to the GDPR. Possibly, the UK may stay part of the EEA, but that remains to be seen (pun intended.)
It should be noted that the role of a DPO and that of the Representative are quite different. DPOs are responsible for assisting their Data Controllers and Processors to be compliant with GDPR, whereas Representatives have more of a liaison role, meaning they coordinate communications in the local language with data subjects and the relevant data protection authority.
For example, a US company which has direct customers in France will be likely to assign their DPO responsibilities to their Chief Privacy Officer, who may or may not be based in the EU (The Article 29 guidance is not mandatory.). They are however obliged to establish and nominate an official GDPR Representative in France, who must be able to communicate in French with local data subjects and the CNIL.
How and Who to Appoint as a Representative
According to GDPR Article 27(1), the appointment of an EU Representative for companies without an office in the EU must be made in writing. The written agreement or the contract should at least state the rights and obligations of the Representative. An oral appointment of the Representative is categorically excluded. The Representative may be a natural or a legal person, i.e. a company.
Whoever is chosen, they should have a good grasp of data protection issues, and specific knowledge of the GDPR and relevant local laws (such as enabling legislation), but in general need not be as well-qualified as a DPO. They do however have an obligation to be able to communicate with both data subjects and the local Data Protection Authority (DPA) in the local language.
Note that the appointment of a local Representative does not remove the liability of the Data Controller and Data Processor regarding their responsibilities under GDPR.
Limitations of the Representative
Non-EEA Controllers cannot benefit from the One-Stop Shop (OSS) mechanism. In practical terms, this means that the presence of a Representative is not considered to be equivalent to having a “main establishment”, which is a prerequisite for OSS.
For example, if the Controller experiences a data breach, they must separately notify the DPA in each affected jurisdiction, rather than just notifying the DPA in the country where the Representative is based. Naturally, notification of the breach can be handled by the Representative, however they must take care to ensure that local language differences are respected.
Choosing a GDPR Representative
It’s important to be aware of the issue of liability. Companies offering Representative services will recognize that they may be subject to enforcement actions by data protection authorities if the Data Controller whom they represent are non-compliant with GDPR. Look for one with appropriate liability insurance.
It’s also possible to avoid the appointment of a local Representative, but only if all of the following conditions are true:
- personal data is only processed occasionally;
- the processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences, and
- the processing is unlikely to result in a risk to the rights and freedoms of data subjects.
If all of the above is true, then you will not need to appoint a local Representative but this decision must be documented in writing, and may be subject to a challenge by affected DPAs.
However if any or all of the above is false, then you will need to appoint a local Representative.
Chaucer offers advisory services on GDPR, as well as DPO and GDPR Representative services. Please contact us on DigitalAdvisory@Chaucer.com or 0203 934 1099.