Do you need a GDPR Representative in the EU?

By the time the UK left the EU on the 1st January 2020, the European Union’s GDPR rules and been written into UK law under the Data Protection Act. The rules have stayed almost identical to the original EU GDPR text, with the exception of some local previsions relating to enforcement and action, and the removal of any references to “union law” since this law is now a national law in the UK.

You may then wonder if now that UK GDPR applies, whether you need to comply with the regulations of the EU GDPR as well, for example the requirement to have a local GDPR representative within the EU (in some situations). In this article we aim to help you understand if this applies to you, explain briefly what a GDPR representative is and give you some advice on how to find one.

To start, let’s be clear on who needs an EU representative:

For companies based outside the EU that wish to continue trading with EU customers a local representative in the EU will be required under Article 27 of the GDPR. 

What is a GDPR representative?

A GDPR representative acts on behalf of the data controller or processor which is based outside of the EU. They represent the data controller or processor within the EU. They operate under the written authority of the controller or processor to act on its behalf with regard to obligations under the GDPR. These obligations may include the exercise of data subject rights, for example when a data subject in the EU requests a copy of their personal data, under the right of access. It also includes communicating with local supervisory authorities when any complaint is raised, an audit is requested or when any other matter relating to compliance is raised. Designating a representative in the EU does not affect the responsibility or liability of the data controller/processor. They are still obligated to fully comply with the GDPR and can be held liable for non-compliance.

Who needs a GDPR representative?

Companies based outside the EU are required to appoint an EU representative if they process the personal data of data subjects who are in the EU for the purposes of offering goods and services, or regular monitoring. This applies irrespective of whether any payment occurs between the data subject and the data processor.

In practice, this means providing a website in an EU language, accessible in the EU and offering payments in EUR. Or, profiling EU website visitors to your website, using tracking technologies and cookies, such as Google Analytics could qualify.

Exemptions

Companies are exempt if the processing is only occasional. 

And, it does not include processing, on a large scale of special categories of personal data or the processing of personal data relating to criminal convictions and offences.

And, is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.

Or if the controller is a public authority or body.

In practice, these criteria are difficult to meet. The use of a website that tracks EU users, could not be considered occasional if it is accessed all year round for example.

Example

The EDPB has provided examples of when this applies, in their recent guidance. Quoting an example directly from their guidelines:

“A website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany.

In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in four languages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union.

As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the Union and is therefore subject to the obligations and provisions of the GDPR, as per its Article 3(2)(a).

In accordance with Article 27, the data controller will have to designate a representative in the Union.”

So be aware that the reach of this legislation is broad.

Who can be your GDPR representative?

Your GDPR representative:

  • Must be a legal entity.
  • Must be based in an EU member state.
  • Must be able to communicate with supervisory authorities in Europe on your behalf.
    • Must be able to communicate effectively, in practice this means knowing the local language.
  • Must have excellent knowledge of GDPR and general data privacy laws. Otherwise they just represent a further risk to your organisation.

Can a Data Protection Officer (DPO) be your GDPR Representative?

No. A Data Protection Officer is not able to be your GDPR representative because this would present a conflict of interests, and it may undermine the Data Protection Officer’s ability to fulfill their role. 

In their guidance, the EDPB recalls the position previously taken by the WP29 that “a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues”

The EPDP does not consider the two roles compatible.

What do we need to publish about our GDPR Representative and where?

You must publish the name and contact information of your GDPR representative. It should be displayed clearly within your privacy policy. You can also advise data subjects within the EU to contact your GDPR representative to exercise their rights in relation to GDPR.

You can read the ICO’s guidance on Brexit here

We also recommend you read the most recent update from the EU Working Party on EU Representatives.