This article follows up on a previous article I published on this blog on July 23, 2018, i.e., shortly after the date the GDPR became enforceable on May 25, 2018.
In our article last July we explained that one of the cornerstones of the GDPR is its extra-territorial reach. Since May 25, an organization with no entity, no offices, no server, or no employees in the EU may still be subject to GDPR. If it is, it may also have to appoint a representative in the EU.
In our July article we introduced the requirement, purpose and role of the EU representative under GDPR, a topic which continues to generate quite a lot of debate on this side of the pond where companies with no presence in the EU continue to be puzzled by the prospect of being subjected to the GDPR’s hefty fines just by virtue of collecting EU residents’ personal information.
On November 16, the European Data Protection Board (EDPB), the successor of the now defunct Article 29 Working Party, an informal working group composed of representatives of each Member State data protection authority (now called supervisory authorities under the GDPR), published its long awaited Guidelines 3/2018 on the territorial scope of the GDPR.
We will shortly publish another article deciphering these guidelines for you, however we wanted in this updated article to examine the obligation under Article 27 to appoint a EU representative in light of the latest opinion published by the EDPB.
As explained, unlike under the previous EU Privacy Directive of 1995, which only affected organizations physically present within the EU, the obligations under the GDPR apply to any organization that processes EU resident data regardless of where in the world they are located.
Because of this new obligation, organizations with no established presence within the EU that process data of EU residents are now subject to additional requirements, including appointing an EU representative.
What is an EU representative?
Article 27 of the GDPR establishes that organizations that process personal data of EU residents must appoint an EU representative when they are not based in or do not have any physical presence in the EU, and where the processing relates to (1) offering goods or services to EU residents or (2) monitoring behavior of EU residents. The purpose of an EU representative is to make sure organizations located outside the EU have a physical presence in the EU as a point of contact for questions and investigations.
The EU representative must be:
- designated in writing in a document which includes the rights and obligations of the representative
- identified in the organization’s privacy policy and in any records of processing activities
- physically established in an EU member state where the data subjects whose personal data is being processed reside
- the direct point of contact for Supervisory Authorities and Data Subjects
- the authorized recipient for all legal documents
- responsible for documenting and maintaining records of the organization’s processing activities
An EU representative does not need to be a legal or data security professional, since assessing and maintaining compliance on behalf of the organization is generally the responsibility of the Data Protection Officer or Data Privacy Manager. However, the appointed representative should be well-informed and conversant enough in the GDPR, the various national data protection laws of the member states in which the company collects the data of EU residents, and in the organization’s specific practices, as they may be required to communicate with regulators, authorities, and data subjects regarding these practices.
Please note that appointing an EU representative does not remove any liability for non-compliance from the controller/processor. Both the controller/processor and the EU representative are liable and subject to enforcement actions.
What do the recent EDPB Guidelines on the territorial reach of the GDPR say about the EU representative?
The new Guidelines have a whole section 4 dedicated to the role of the representative for controllers or processors not established in the EU. Although the Guidelines do remind the reader that the obligation under Article 3(2) of the GDPR to designate a representative in the EU isn’t entirely new since it already existed under the 1995 EU Privacy Directive 95/46/EC, what is new is however the fact that processors, and not just controllers, may also be subject to this obligation, unless they also meet the exemption criteria as per Article 27(2).
In practice, the function of representative in the Union can be exercised based on a service contract concluded with an individual or an organization, and can therefore be assumed by a wide range of commercial and non-commercial entities, such as law firms, consultancies, or private companies, provided that such entities are established in the EU.
While the GDPR does not foresee any obligation to the data controller or the representative itself to notify the designation of the latter to a supervisory authority, the EDPB recalls that, in accordance with Articles 13(1)a and 14(1)a, as part of their information obligations, controllers shall provide data subjects information as to the identity of their representative in the EU. This information shall for example be included in the privacy notice or upfront information provided to data subjects at the moment of data collection. A controller not established in the EU but falling under Article 3(2) and failing to inform data subjects who are in the EU of the identity of its representative would be in breach of its transparency obligations as per the GDPR. Such information should furthermore be easily accessible to supervisory authorities in order to facilitate the establishment of a contact for cooperation needs.
Article 27(3) foresees that “the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are”. In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice, that the representative is established in that same Member State. However, the representative must remain easily accessible for data subjects in Member States where it is not established and where the services or goods are being offered or where the behavior is being monitored.
The EDPB confirms that the criterion for the establishment of the representative in the Union is the location of data subjects whose personal data are being processed. The place of processing, even by a processor established in another Member State, is here not a relevant factor for determining the location of the establishment of the representative.
What exactly are the responsibilities of the EU representative?
The EU representative acts on behalf of the controller or processor it represents with regards to the controller or processor’s obligations under the GDPR. This implies notably the obligations relating to the exercise of data subject rights. While not itself responsible for complying with data subject rights, the representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights are effective.
As per Article 30, the controller or processor’s representative shall also maintain a record of processing activities under the responsibility of the controller or processor. The EDPB considers that the maintenance of this record is a joint obligation and that the controller or processor not established in the Union must provide to its representative all accurate and updated information so that the record can be maintained and made available by the representative.
As clarified by recital 80, the representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with the GDPR. In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of a controller or processor established outside the EU, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and a controller or processor established outside the EU.
The representative in the EU must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.
In line with Recital 80 and Article 27(5), the designation of a representative in the EU does not affect the responsibility and liability of the controller or of the processor under the GDPR and shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
It should however be noted that the concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.
There are many companies located within the EU that now offer EU representative services for organizations subject to Article 27. Organizations that are unprepared or unable to meet this requirement independently should reach out to us for further guidance.