Do you need a GDPR Representative in the EU after Brexit?

When the transition period for the UK leaving the EU ends on the 1st January 2020, many things will change about how data can be transferred between the two areas. For companies based outside the EU that wish to continue trading with EU customers a local representative in the EU will be required under Article 27 of the GDPR. 

The standards applied to protecting personal data will generally stay the same, because the UK will be writing GDPR level protections into UK law. So companies that wish to trade between the UK and EU will not be starting from scratch. However they will have certain obligations, such as registering a representative to think about.

What is a GDPR representative?

A GDPR representative acts on behalf of the data controller or processor which is based outside of the EU. They represent the data controller or processor within the EU. They operate under the written authority of the controller or processor to act on its behalf with regard to obligations under the GDPR. These obligations may include the exercise of data subject rights, for example when a data subject in the EU requests a copy of their personal data, under the right of access. It also includes communicating with local supervisory authorities when any complaint is raised, an audit is requested or when any other matter relating to compliance is raised. Designating a representative in the EU does not affect the responsibility or liability of the data controller/processor. They are still obligated to fully comply with the GDPR and can be held liable for non-compliance.

Who needs a GDPR representative?

Companies based outside the EU are required to appoint an EU representative if they process the personal data of data subjects who are in the EU for the purposes of offering goods and services, or regular monitoring. This applies irrespective of whether any payment occurs between the data subject and the data processor.

In practice, this means providing a website in an EU language, accessible in the EU and offering payments in EUR. Or, profiling EU website visitors to your website, using tracking technologies and cookies, such as Google Analytics could qualify.

Exemptions

Companies are exempt if the processing is only occasional. 

And, it does not include processing, on a large scale of special categories of personal data or the processing of personal data relating to criminal convictions and offences.

And, is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.

Or if the controller is a public authority or body.

In practice, these criteria are difficult to meet. The use of a website that tracks EU users, could not be considered occasional if it is accessed all year round for example.

Example

The EDPB has provided examples of when this applies, in their recent guidance. Quoting an example directly from their guidelines:

“A website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany.

In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in four languages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union.

As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the Union and is therefore subject to the obligations and provisions of the GDPR, as per its Article 3(2)(a).

In accordance with Article 27, the data controller will have to designate a representative in the Union.”

So be aware that the reach of this legislation is broad.

Who can be your GDPR representative?

Your GDPR representative:

  • Must be a legal entity.
  • Must be based in an EU member state.
  • Must be able to communicate with supervisory authorities in Europe on your behalf.
    • Must be able to communicate effectively, in practice this means knowing the local language.
  • Must have excellent knowledge of GDPR and general data privacy laws. Otherwise they just represent a further risk to your organisation.

Can a Data Protection Officer (DPO) be your GDPR Representative?

No. A Data Protection Officer is not able to be your GDPR representative because this would present a conflict of interests, and it may undermine the Data Protection Officer’s ability to fulfill their role. 

In their guidance, the EDPB recalls the position previously taken by the WP29 that “a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues”

The EPDP does not consider the two roles compatible.

What do we need to publish about our GDPR Representative and where?

You must publish the name and contact information of your GDPR representative. It should be displayed clearly within your privacy policy. You can also advise data subjects within the EU to contact your GDPR representative to exercise their rights in relation to GDPR.

Where can I read the latest guidance on GDPR Representatives?

Right here, we’ll be keeping this post up to date as more information emerges from the UK Government, the supervisory authorities and the EU. 

You can read the ICO’s guidance on Brexit here

We also recommend you read the most recent update from the EU Working Party on EU Representatives.