The EU Representative is a required appointment for most companies outside the EU which are affected by GDPR. The Representative serves two main roles:
- They are the point of contact for EU-based individuals and authorities that want to raise questions about the data processing activities or exercise their data rights of a non-EU organisation.
- They assist with enforcement of GDPR, for example by making and keeping required records of processing activities and liaising with the regulators.
Which organisations need to appoint an EU/ EEA Representative?
Organisations (whether businesses or otherwise) outside the EU/ EEA that are selling goods/ services into the EU, or that regularly monitor the activities of individuals there need to appoint an EU/EEA Representative. It applies even if your organisation is in a country that is deemed to have ‘adequate protection’ for purposes of international data transfers, such as the UK.
There are exclusions for public sector organisations, and organisations which only process the personal data of EU/EEA-based individuals as part of an occasional data process (i.e. not as part of their usual activities).
What does the EU Representative do?
The EU/EEA Representative’s main activities are to liaise (on behalf of their client outside the EU) with the data subjects (individuals) and authorities in the EU. Most commonly, they will receive communications from EU/EEA-based data subjects who wish to exercise GDPR rights (such as a right to a copy of the data held, the right to erase the data etc) and pass those requests to their client.
They also hold the data processing records/ documents for their clients and make them available on request to a relevant data protection regulator on request.
Who can (and cannot) be appointed as Representative and in which country (or countries) should they be based?
Any individual or company established in the EU/ EEA may be appointed to the role, but because of the liability position it would be unusual for an individual to personally accept an appointment as Representative.
The same company should not be appointed as both DPO and Representative of the same organisation as per the European Data Protection Board guidance, there would be a potential conflict of interest.
The Representative should have a physical location where postal requests can be received in the EU/EEA country where their client has the largest number of data subjects, and they should also be easily accessible to data subjects in other EU/EEA member states. In effect, this may mean you’d need to appoint multiple Representatives, or a Representative with locations in multiple countries.
What has changed post-Brexit?
Following Brexit, the way in which GDPR has been incorporated into UK law means that there is also a ‘UK Representative’ – so companies outside the UK that provide goods/services to the UK or monitor people there may now need to appoint a Representative (in addition to any existing obligation to appoint a Representative in the EU/EEA).
This means that EU companies may need a UK Representative, UK companies may need an EU Representative, and companies outside both UK and EU may need both.
Do the new EU Standard Contractual Clauses (SCCs) have any effect on the EU Representative role?
The new SCCs provide that if you need to have an EU Representative you must use the relevant option in that part of the contract and list their details in the schedule. This means that organisations outside the EU can expect to be asked whether they have an obligation to appoint a Representative and for their contact details.
Has there been any enforcement of the Representative obligation by Data Protection Authorities?
So far there has been one instance of enforcement in May 2021 when the Dutch Data Protection Authority issued a €525,000 fine against a Canadian website for failing to appoint a Representative in the EU. We’re yet to see if / when more fines will follow.
We can help you put in place a practical data protection strategy that minimises reputational, legal and financial risk. We can make sure you comply with the relevant data protection laws in the countries where you operate, and we’ll also make sure you have the right processes in place to ensure continued compliance.
We work with DataRep who are a leading provider of the EU/ EEA and UK Representative services. They have a network of contact locations in all 27 EU countries, Norway and Iceland in the EEA and the UK. If you want to discuss any of your data protection requirements, including if you need a Representative, please get in touch.