One of the cornerstones of the GDPR is its extra-territorial reach. Since May 25 and the entry into force of the new law, an organization with no entity, no offices, no server, or no employees in the EU may still be subject to GDPR. If it is, it may also have to appoint a representative in the EU. In this article we introduce the requirement, purpose and role of the EU representative under GDPR.
The General Data Protection Regulation (GDPR), the new European legislation on data privacy, which came into effect on May 25, 2018, is a unique regulation for many reasons including its broad territorial reach. Unlike previous European legislations which only effected organizations physically within the EU, the obligations under the GDPR apply to any organization that processes EU resident data regardless of where in the world they are located.
Because of this new obligation, organizations with no established presence within the EU that process data of EU residents are now subject to additional requirements, including appointing an EU representative.
What is an EU representative?
Article 27 of the GDPR establishes that organizations that process personal data of EU residents must appoint an EU representative when they are not based in or do not have any physical presence in the EU, and where the processing relates to (1) offering goods or services to EU residents or (2) monitoring behavior of EU residents. The purpose of an EU representative is to make sure organizations located outside the EU have a physical presence in the EU as a point of contact for questions and investigations.
The EU representative must be:
- a natural person
- designated in writing in a document which includes the rights and obligations of the representative
- physically established in an EU member state where the data subjects whose personal data is being processed reside
- the direct point of contact for Supervisory Authorities and Data Subjects
- the authorized recipient for all legal documents
- responsible for documenting and maintaining records of the organization’s processing activities
An EU representative does not need to be a legal or data security professional, since assessing and maintaining compliance on behalf of the organization is generally the responsibility of the Data Protection Officer or Data Privacy Manager. However, the appointed representative should be well-informed and conversant enough in the GDPR, the various national data protection laws of the member states in which the company collects the data of EU residents, and in the organization’s specific practices, as they may be required to communicate with regulators, authorities, and data subjects regarding these practices.
Please note that appointing an EU representative does not remove any liability for non-compliance from the controller/processor. Both the controller/processor and the EU representative are liable and subject to enforcement actions.
Does my organization need to appoint an EU representative?
Below are a series of questions an organization should ask themselves to determine if they are required to appoint an EU representative. Refer to our GDPR Glossary for any new or unclear terms.
- Does my organization process the personal data of EU residents?
The GDPR only applies to data subjects physically residing within the EU at the time their data was processed. If the answer is no, your organization is likely not subject to the GDPR as a whole.
If yes, continue to the next question.
- Does my organization offer goods or services to EU residents, or monitor the behavior of EU residents?
This only applies where organizations have acted with the intent of directing their services at EU residents. If an organization runs a website that residents in the EU happen to be able to access, that is likely not enough.
If yes, continue to the next question.
- Does my organization have any offices or employees located in the EU?
If the answer is yes, then your organization is not subject to the requirements under Article 27. If the answer is no, your organization is obligated under Article 27 to appoint an EU representative. Refer to the exception below to see if your organization is eligible.
What are the exceptions to the Article 27 EU representative requirement?
Under Article 27(2)(a), organizations are not required to appoint an EU representative if they meet all of the following:
- Personal data is only processed occasionally
Currently, there is very little guidance on what qualifies as occasional processing, however an organization should make a reasonable determination based on the frequency and quantity of processing, in addition to how much the organization depends on that processed data to run its business.
- No large scale processing
Recital 91 of the GDPR defines large scale processing as processing “which could affect a large number of data subjects and which are likely to result in a high risk to the data subject.”
- No processing of special categories of personal data
Special categories of personal data (also referred to as “sensitive data”) include data regarding race, ethnicity, political opinion, religion, philosophical belief, trade union membership, genetic data, biometric data, health data, sexual orientation, and data regarding sex life.
- No processing data regarding criminal offences
This includes any data about criminal arrests, investigations, or convictions
- Processing is not likely to result in risk to rights & freedoms of data subjects
Recital 75 of the GDPR elaborates on this concept by explaining that risks to rights and freedoms “may result from personal data processing which could lead to physical, material or non-material damage.” This includes where processing could result in discrimination, identity theft, financial loss, reputational damage, breach of confidentiality, or where data subject may lose control over their personal data. Organizations should look at their processing activity from the perspective of a data subject to reasonably determine if their processing could affect any of these rights.
If an organization meets all of these requirements and is eligible for the exception, they must document the decision and the reasoning for not appointing an EU representative. Failure to appoint a representative where there was an obligation to do so may result in fines of up to 10 million euros or 2% of the total worldwide annual turnover.
If my organization is required to appoint an EU Representative, where do they need to be located?
An organization’s EU representative should be located in a member state where the data subjects whose data they process are residing. If an organization processes personal data from EU residents of many different member states, they are only required to appoint an EU representative in one member state. Considerations in choosing a member state should include what the native language is, how much data the organization’s processes in that member state, and the individual rules and regulations of that member state.
There are many companies located within the EU that now offer EU representative services for organizations subject to Article 27. Organizations that are unprepared or unable to meet this requirement independently should reach out to us for further guidance.
This article has been written in collaboration with Monica Meiterman-Rodriguez