The European Data Protection Board in its guidelines on the territorial scope of the GDPR confirmed the importance of the requirement to appoint an EU Representative. This has been described as the “forgotten obligation”. This article will explain what an EU Representative under Article 27 of the GDPR is, what responsibilities EU Representatives have and who is required to appoint an EU Representative.
What is the Role of an EU Representative Under Article 27 of the GDPR?
The primary role of the EU Representative is to be a point of contact for Data Protection Authorities and Data Subjects in the European Union to ensure compliance with the GDPR. The identity and contact details of the EU Rep must be provided to Data Subjects.
Given the importance of this role, the European Data Protection Board (EDPB) have released guidelines on the appointment of EU Representatives in compliance with Article 27 of the GDPR. Importantly, the EDPB recommends that an individual be assigned as the lead contact for the EU Rep services on behalf of the controller of processor.
The EU Representative is distinguished from a Data Protection Officer in that they take instructions from organisations. This contrasts with the role of the DPO which is independent in the delivery of their functions. In Rondon v LexisNexis Risk Solutions UK Ltd, which considered the liability of an EU Representative for the actions of the controller, it was noted that EU representatives have “a bespoke, limited but important role which supports and is ancillary but not alternative to extra-jurisdictional enforcement against Art.3.2 controllers”.
Who is Required to Appoint an EU Representative?
Article 3(2) of the GDPR provides that the GDPR is applicable to controllers and processors not established in the EU who offer goods or services to data subjects in the EU or monitor the behaviour of data subjects in the EU.
Article 27(1) states that where the above provision applies, the controller or processor must designate a representative in the Union (in writing).
Therefore, organisations which are not established in the EU, which offer goods or services to data subjects in the EU or monitor the behaviour of data subjects in the EU are required to appoint an EU Representative.
There are some limited exceptions to the requirement to appoint EU representatives. Article 27(2) provides that the exceptions to this are where the processing of the personal data of data subjects in the Union is occasional, does not include the processing of special categories of personal data, data relating to criminal convictions or data likely to result in a risk to the rights and freedoms of natural persons or processing by a public authority or body.
An EU Representative under this article must be an individual or a company established or residing anywhere in the European Union.
What are the Consequences of Not Appointing an EU Representative?
Failure to appoint an EU Representative, as an organisation based outside the EU selling to or monitoring Data Subjects in the EU can lead to attracting negative attention from Supervisory Authorities. An example of this was the fine that the Dutch Data Protection Authority imposed on locatefamily.com for failure to appoint an EU Representative. The non-EU based website was fined over €500,000 with a requirement to pay an additional €20,000 for each two-week period they failed to appoint an EU representative.
Do You Need an EU Representative for Your Organisation?
If you require an EU Representative for your organisation, Pembroke Privacy offers reliable EU Representative Services and is experienced in working with international organisations to provide this service. When you appoint Pembroke Privacy as your EU Representative you will have access to a dedicated EU Rep Team with a Lead Consultant who will oversee the effective management of your EU Rep services. The Lead Consultant will be supported by a team of Pembroke Privacy data protection experts.
Please contact info@pembrokeprivacy.com to learn more about our EU Representative services.