The GDPR requires organisations that are not based in the EU but that process personal data relating to people in the EU to appoint a representative in certain situations. The requirements, which we will explore below, have been catapulted to centre stage recently following a €525,000 fine which was imposed on the website “Locatefamily.com” by the Dutch DPA, because of their failure to comply with Article 27 and designate an EU Data Representative. So, it is important for organisations to consider whether they are required to appoint an EU representative.
Who needs an EU Representative?
It is necessary for an organisation to appoint an EU Representative where the organisation has no establishment in the EU but processes personal data of data subjects who are in the EU and where the processing activities are related to:
- the offering of goods or services to data subjects in the EU; or
- the monitoring of their behaviour as far as their behaviour takes place within the EU.
Article 27(2), lists some exceptions to the requirement to designate an EU Representative where the processing:
- Is occasional, i.e., it must not be carried out regularly and occurs outside the regular course of organisation’s business or activity.
- Does not include the processing on a large scale of Article 9 special categories of data or 1processing of personal data relating to criminal convictions and offences; and
- Is unlikely to result in a risk to the rights and freedoms of natural persons.
According to the Article 29 Working Party (WP29), processing can only be considered as “occasional” if, as mentioned above, it is not carried out regularly or it occurs outside the regular course of business or activity of the controller or processor. For example, if you were a small “mom-and-pop shop” based in a town in Texas, with an e-commerce store and had orders from EU customers once every few months, this is likely to be mere “occasional” processing which would not require the appointment of an EU Representative. However, if that shop expanded its online European offering, and, for example, targeted European customers by eg offering a website in a local language, targeted at individuals in that EU country, then, an EU Representative could be required.
WP29 recommends that the following factors must be considered when determining whether processing is being carried out on a “large scale”:
- the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity;
- the geographical extent of the processing activity.
Public bodies are also exempt from the requirement. The EDPB recognises the nature of public authorities and bodies, and accordingly, recognises their tasks would not generally create a circumstance in which they would be offering goods or services to, or monitoring data subjects’ behaviour within the EU.
What is an EU Representative?
Essentially the EU Representative provides a contact point for the organisation in the EU so that Supervisory Authorities and data subjects can contact a local representative of that organisation with queries or complaints about how their data is processed.
Article 27 of the GDPR provides that the EU Representative “shall be mandated by the controller or processor to be addressed, in addition to, or instead of, the controller or the processor by supervisory authorities and data subjects, on all issues related to processing”, for the purposes of ensuring compliance with the GDPR.
It is important to note that the designation of an EU-based representative does not affect the responsibility or liability of the controller or of the processor under Article 27(4). The controller or processor is always accountable. The EU Representative is merely a contact point for the controller or processor.
Who can be an EU Data Representative?
A Representative can be a natural or legal individual, a company or organisation established in the EEA. Whoever is designated as the Representative must have the ability to represent the controller when it comes to meeting obligations under the GDPR.
The EU Representative must be established in one of the Member States where the data subjects whose data is being processed are based. If an organisation processes personal data relating to data subjects in multiple EU member states, the organisation should decide where to appoint the EU Representative, based on where the data subjects are based. However, if the bulk of the data processed is from one country, that is where the EU Representative should be appointed.
Should I appoint a DPO or an EU Representative?
A DPO and an EU Representative are not the same role, nor do they have the same function or requirements. They apply to different types of activities, have different duties under the GDPR and the circumstances under which each role should be appointed, differ greatly.
Is the obligation enforced?
It seems that many organisations who do not have a presence in the EU, but who fall under the scope of Article 3(2) of GDPR, have failed to designate an EU Representative. This begs the question of whether these organisations do not fully understand the obligation or whether they have simply decided to take the risk of not complying with Article 27, as there has been no enforcement regarding this obligation to date. However, the Dutch DPA’s recent decision to fine Locatefamily.com highlights that Supervisory Authorities are starting to act.
Locatefamily.com, according to their website, helps people “find family, long lost friends, old flames [and] neighbours, for FREE.” And to do so, publish people’s addresses, phone numbers and other personal details, often without their knowledge. The information published on the website listed approximately 700,000 Dutch people as well as many more from around the globe and from within Europe. Because the organisation does not have an EU Representative, data subjects within the EU have no easily accessible point of contact and cannot, as a result, effectively exercise their rights, especially their rights to erasure and the right to be forgotten.
According to the Dutch DPA’s press release, they received dozens of complaints about the website. Data subjects were unaware of how their details even came to appear on the site, as they did not provide the details themselves, nor did they provide consent for their personal data to be displayed and freely accessible to anyone in this way. Deputy chair of the DPA, Monique Verdier, spoke on the matter and said, “for a website to publish your phone number and address without your knowledge is unacceptable … [and that] … private information must remain private.” While acknowledging that people can certainly share this type of information if they so wish, Verdier also stated that “this should be your choice to make.” While the fine of €525,000 related to a variety of compliance failures under the GDPR the lack of an EU Representative was one of those compliance failures which could easily have been avoided.
Summary
Overall, the key points to consider when determining if an organisation needs to designate an EU Representative are:
- Is the organisation based outside the EU, without an office, branch etc in the EU?
- Does the organisation target EU customers and is there large-scale, regular processing of their data?
- Does the organisation monitor EU data subjects’ behaviour?
If so, you will need to consider appointing an EU Representative. At Pembroke Privacy, we act as EU Representative for global clients offering financial services, technologies and other goods and services to EU customers.
Please contact your regular Pembroke Privacy contact or click here for more information about our EU representative services.
1Article 9 Special Categories of Data include: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Authors: Greta Dineen Kelly (IAPP Westin Scholar Book Award recipient 2020) & Kate Colleary (IAPP Country Leader for Ireland)