After the transition period (*currently* 31st December 2020), UK companies that don’t have an EU presence but are doing business in the EU will need to appoint a representative. So, it is a good idea to start preparing for this.
To help, ActiveMind Legal, who specialise in international data protection, have worked with us to pull together a Q&A to identify if you need an EU rep, and if you do, who they should be…
1. Who needs an EU representative?
Any business that doesn’t maintain an establishment in the EU but does target individuals in the EU.
a. What’s an establishment?
Some form of activity through a stable arrangement, such as a fixed place of business, an office, branch, or factory. Just having an employee or contractor based in an EU country is not enough.
b. What does targeting mean?
It means offering goods or services to people whose data you hold and process, including via a website. It also means monitoring people’s behaviour in the EU, e.g. through the use of analytics and other tools. Certain factors will be looked at to determine whether you are targeting persons in the EU, e.g. via use of local language, providing an option to pay in Euros, making references to EU specific clientele, etc. A Chinese company’s website doing business in Asia that is accessible in the EU, would not be considered targeting, but if it then offered its products/services on the website in German and included a German company as a reference client, then that would be considered to be targeting. Also, if you monitor behaviour of people in the EU by, for example, doing behavioural advertising, carrying out geo-localisation/ geo-marketing activities, online tracking, etc you’ll be deemed to be targeting. Even if you are a provider of these services/products and do so free of charge, for example offering a free app on the EU market that contains geolocalistion technology and is in German would be considered targeting.
c. Are there exceptions?
Only if your data processing activities meet all of the conditions below:
- They are done only very rarely or as a one -off. AND
- They do not include any special categories of personal data (i.e. relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation) on a large scale. AND
- They are unlikely to result in privacy intrusions. Examples of privacy intrusions include processing activities that give rise to discrimination, identity theft or financial loss, or where the special categories of data are being processed.
2. Who can you appoint as an EU representative?
The EU rep’s tasks are to:
- be the contact person for your customers in all applicable EU countries for all issues related to the GDPR
- maintain records of your processing activities and other relevant data protection documentation; and
- legally represent your business with the EU data protection supervisory authorities.
So, you’ll need to do your due diligence to check that whoever you appoint is right for the job.
Please note that the appointment of an EU rep does not change your company’s responsibilities for compliance or liability for non-compliance under the GDPR.
3. Can our DPO act as our EU Rep?
Unfortunately, no – your DPO cannot do both. Even if you have an external DPO in an EU country, the data protection authorities say there would be a conflict of interest if the same person was fulfilling both roles.
4. How can we start planning?
The transition period is a good time to prepare. Here is a checklist to help you get started:
- Do you have an EU office, branch or other establishment? (if so, you will not need to appoint)
- Are you processing personal data of individuals in the EU that relates to:
- offering goods or services, and/or
- monitoring their behaviour?
(if yes to either you will need to appoint)
- Can you rely on the exception above for all EU sales activities? (if yes, you will not need to appoint)
- Have you chosen an EU representative that is based in one of the countries where your data subjects are?
- Have you put in place an appropriate written mandate for that representative to act on your behalf?
- Does your EU representative maintain the required documentation (particularly the records of processing activities)?
If you need help identifying if your business needs an EU Rep or in appointing one, we can help. Get in touch on firstname.lastname@example.org