After the GDPR’s entry intoduction, a great number of extra-european companies have the obligation to appoint a GDPR representative.
The European Commission implemented the General Data Protection Regulation (GDPR) in 2018. The influence of this regulation is unprecedented in that it affects extra-European entities as well as those resident in the European Union. In practice, the GDPR is the largest set of privacy protection regulations currently in force.
Its implementation prompted the emergence of new occupations specializing in data protection. In particular, the GDPR requires companies based outside the EU and affected by the regulation to appoint a data protection representative (“GDPR representative”) to act as a liaison between the organizations and European regulatory authorities.
The data protection representative
Article 27 of the GDPR establishes that companies based outside the European Union are required to appoint a GDPR representative if they process the personal data of individuals in the EU. Companies with no established presence within the European Union are therefore obligated to designate a representative in an EU Member State.
This applies to data controllers, as well as to subcontractors working on behalf of other companies.
Your representative must fulfill three obligations with the European regulatory authorities on your behalf:
- Act as the point of contact with supervisory authorities for all matters related to the processing of personal data.
- Serve as the point of contact for data subjects wishing to exercise their rights.
- Maintain a register of personal data processing activities conducted within EU territory.
As the United Kingdom is no longer a member of the European Union, it has its own data protection regulation, known as the “UK GDPR.” Therefore, if you are a non-UK company processing personal data in the UK, you will need to appoint a GDPR representative in the United Kingdom. This person will handle representation duties within British territory.
Why appoint a data protection representative?
First and foremost, there are cases in which the appointment of a representative is mandatory. Indeed, as previously noted, any foreign private entity without an established presence in the European Union is required, under Article 27 of the Regulation, to designate a GDPR representative.
The types of business activity in question are those generally subject to the GDPR:
- The provision of goods or services entailing the processing of personal data for people located within EU territory;
- Activities that enable monitoring of the behavior of people located within EU territory.
Moreover, the appointment of a representative helps your company more easily meet its obligations under the GDPR and avoid substantial fines.
Keep in mind that you must comply with the GDPR even if you are not required to appoint a GDPR representative.
What exceptions are there to the obligation to appoint a GDPR representative?
First of all, the obligation to appoint a GDPR representative does not apply to European companies.
Furthermore, public organizations are exempt from this obligation.
Finally, companies may be exempted from designating a data protection representative when their data processing fulfills the following three criteria:
- It is only occasional.
- It does not involve large-scale processing of special categories of data, or data relating to criminal convictions and offenses.
- It is unlikely to result in a risk to the data subjects’ rights and freedoms.
How to choose a GDPR representative
Here are the most important aspects to consider when making your choice:
Who can be a data protection representative?
Your data protection representative can be any natural person or legal entity established in the European Union.
Given the extreme complexity of the GDPR, choosing a data protection expert is strongly recommended. Such an expert will be best placed to handle your issues efficiently and ensure your GDPR compliance.
Where should you appoint your data protection representative?
That depends on your data processing activities.
If you process data uniformly in more than one Member State of the European Union, you only need to appoint a representative in one EU country. That representative will then deal with all processing activities conducted within the European Union.
In fact, the GDPR is uniformly applied in all Member States.
Once your representative has been appointed, it will be difficult for you to make a change. For that reason, it is essential that you carefully select the country in which to appoint your representative. For example, it could be one of the countries in which you do business or in which European authorities are located.
How to designate a GDPR representative
Data controllers or subcontractors must designate a representative in writing.
In most cases, this can be done by establishing a contract. The contract must include:
- contact information for your organization,
- contact information for your representative,
- and a reference to the GDPR provisions regarding European representatives.
Your contract must also include other clauses, such as:
- Clauses describing each party’s obligations
- Liability clauses
- Indemnity clauses
- Non-disclosure clauses
You must also ensure that the agreement does not provide for automatic termination if your company experiences a data breach.
In conclusion, it is important to choose the right representative. It is your legal obligation as well as evidence of quality service.
Do you think you may need a data protection representative? Get in touch with the experts at ASD Group.