Appointing an EU Representative When an EU representative is required and what you should know when appointing an EU representative. EU representation is essential for all non-EU businesses for the purposes of compliance with Article 27 of the GDPR. When is an EU Representative required under GDPR? An EU representative is required under GDPR in any situation where a persons’ who’s holding data on behalf of a data subject based in the EU, but does not actually have an establishment in the EU themselves. So for instance, if a business outside of the EU is collecting or holding data in relation to people who are in the EU, but that business does not have any presence in the EU itself, it needs to appoint a representative in the EU, for the purpose of the GDPR compliance. Who needs an EU Data Representative? Essentially any business, located outside of the EU, that does not have a presence in the EU itself, who does business with or holds data on behalf of people who are in the EU, then that business is required to appoint representative. Where should your EU Data Representative be located? There is quite a bit of discretion around this. The only absolute rule is that there needs to be at least one or some data subjects in the EU member state in which the representative is appointed. But once that is the case, and there is no hard and fast rule and you can select the member state that suits you best. It has been suggested that best practice might be to appoint the representative in the member state where most of your data subjects are located. But that’s not a hard and fast rule. Once you have a representative in one member state where you have at least one or some data subjects that will cover you for the entire of the EU. What is required of an EU Representative under the GDPR? Under the GDPR the EU representative is effectively the point of contact for the non EU business in the EU. It means that data subjects, or the EU citizens or people who are living in the EU whose data is held by the business, they are entitled to be able to contact somebody locally to them, based in the EU as well, who they can contact if they want to exercise their GDPR rights, if they want to make a Subject Access Request or to exercise any of their other GDPR rights. They are able to contact the local representative to do that on their behalf. And also, if the Data Protection Supervisory Authority needs to contact the business in relation to a GDPR issue, if it gets a complaint from the data subject or has any other issues that it wants to raise with the Data Controller or Processor, then it can contact the representative in the EU, on behalf of that controller who’s located outside the EU. Are EU representatives involved in advising companies on GDPR compliance in any regard?
It is certainly possible. The representative can provide additional or ancillary services on top of the bare representation. And, if a contact is received from a data subject, it may well be that the business could look to the representative to assist it in detailing with GDPR compliance issues in respect of that contact. So, the core function of the representative is simply to provide that point of contact and liaison between local subjects and supervisory authorities in the business, but there is nothing to prevent the representative being able to provide additional or ancillary services around GDPR compliance, as they arise. Do EU representatives just respond to individual inquiries and access requests independently or do they simply forward those inquiries to the business and share the response for the individual? Well we think it is important that they would not do anything independently and they would be ultimately acting on behalf of the data controller or the data processor in responding to the request. The first thing that they will do, as a matter of practice, is to relay the request or communication that has been received from the data subject to the controller or processor. And if, for instance, that is an Access Request or an exercise of a GDPR subject right, then the receipt by the representative of the request will then trigger the time limits under the GDPR for compliance. With the Access Request for example, it will be normally a month. It may well be that the representative would be communicating back and forth with whoever has initiated the subject access requests or alternatively, there is nothing to prevent the controller becoming involved directly if that is more convenient or preferable for both parties so it’s really down to whatever suits best for everybody concerned, once the actual request that has been made is being fulfilled within the time limits and in accordance with the GDPR. What do you need to consider when appointing an EU and/or a UK representative? The primary thing to consider would be the body or organization that you are appointing is a reputable one and clearly understands the role that they are carrying out and have got the wherewithal to be able to do that for you. The kind of things you would look to would be what level of knowledge or expertise they have in that area. Other important factors to consider – a responsible business in this area would be insured and carry the appropriate business liability insurance for the function they are undertaking. Similarly, things like ISO 27001 would be a very important factor to consider we think for any serious business looking at information security to see that the organization has that in place. And just to see what levels of communication and responsiveness can you see from the business, because that is their primary function on your behalf. When you communicate with them, are you being responded to in the kind of way that you would like to see anybody who is contacting your business in relation to GDPR compliance would receive a similar response. How will things change with the GDPR after Brexit? The primary change resulting from Brexit would be that the UK will no longer be a member state of the EU. And prior to Brexit, the UK was a member state of the EU along with all of the other 27 member states of the EU, and after Brexit it no longer will be part of the EU. Therefore, if the business is located in the UK, prior to Brexit, it will be located in the EU and will not need to appoint a representative. But if the business is located in the UK after Brexit and continues to hold data or do business with data subjects or people who are located in the EU, it will then be required to appoint a
representative in the EU, the same as any other third country outside of the EU will be required to do so. What is the difference between an EU representative and a UK representative? The UK has adopted its own form of the GDPR which will apply after Brexit, and it is called the UK GDPR, and at present is very similar to the EU’s original GDPR. Of course, the UK has been observing the GDPR since it came in, and therefore the UK’s GDPR has its own Article 27 of the UK GDPR which requires non-UK based businesses to appoint a representative in the UK, if the business does not have an establishment in the UK, and it’s holding data on behalf of people who are in the UK. So, after Brexit, a non-UK business will have to appoint a UK representative in the same way that a nonEU based business, dealing with people in the EU and holding data on behalf of people who are in the UK. So, after Brexit, a non-UK business will have to appoint a UK representative in the same way that a non-EU based business, dealing with people in the EU and holding data on behalf of people in the EU will need to do so currently. Potentially a business located outside of both the EU and the UK, for example in North America or anywhere else internationally outside of the two jurisdictions could possibly, if they are dealing with data subjects who are located in the EU and the UK, be required to appoint two different representatives, one based in the UK to represent UK data subjects and one based in the EU to represent EU data subjects, as things currently stand. Obviously, after the UK leaves the EU, it may change its rules around data protection and there is some uncertainty around that, but at present, that is how things stand.