GDPR Article 27 EU Representative
Do you offer goods and services to individuals in the EU?
If you answered yes to the above question, and it’s likely to apply to a great many local companies, then it may be that you have to appoint a representative in the EEA or the UK. This is likely to apply to a great many companies in Jersey. The finance sector, hotel industry, travel industry, online retailers etc. to name but a few.
Let us look at the EU only, for now, I will come onto the UK requirements shortly.
Whilst Jersey is one of 12 countries outside of the EU considered by the European Commission to have ‘adequacy status’ (offers an adequate level of data protection) this does not mean that Jersey companies are exempt from GDPR.
In basic terms, if you process personal data relating to individuals in the EU on a regular basis and you do not have an establishment in the EU (Office/Branch etc.) then you most likely should appoint a representative in one of the member states where you are offering goods and services.
For example, A Jersey hotel group’s website can be translated into French and German. Rooms can be booked through the website and paid for in euros. The hotel group uses regional magazines in France, Germany, and Ireland to advertise its rooms and the vast majority of its customers come from the EU. The hotel group must appoint an EU Representative in either France, Germany, or Ireland, at least one EU member state where business is conducted.
Are there any exemptions?
There are exemptions where a non-EU company is not required to have an EU Representative. If you are a public authority or if your company processes personal data ‘occasionally’, is unlikely to result in a risk to the rights and freedoms of natural persons and does not involve large-scale use of special category or criminal offence data, then you are exempt. What exactly constitutes ‘occasionally’ remains to be defined.
It is important to note that if you decide that you do not need an EU Representative, you must justify this decision and document it. You have to prove that the processing of data is occasional.
What does an EU Representative do?
The EU Representative acts on behalf of the Data Controller or Data Processor with regard to their obligations under GDPR. The EU Representative acts as a direct contact to the authorities and EU Data Subjects (Users/Customers), while also being an authorized agent to receive legal documents. The EU Representative may also be tasked with maintaining records of processing activities (GDPR Art. 30 (1) and (2)) and making records available to the supervisory authority (GDPR Art. 30(4)).
It is important to note that the designation of an EU Representative does not affect the responsibility or liability of the Data Controller or of the Data Processor under GDPR. Art. 27(4). The Data Controller or Data Processor is always accountable.
You must authorise the Representative in writing. The authorisation should contain the EU Representative tasks. Currently, you don’t have to inform your Supervisory Authority, but you must name the EU Representative in your information to the Data Subject (typically your Privacy Notice), (GDPR Art. 13 and 14) and your records of processing activities, (GDPR Art. 30).
Who can be my EU Representative?
The role of the EU Representative GDPR should not be confused with that of the DPO (Data Protection Officer). An EU Representative of non-EU companies will not be required to assess General Data Protection Regulation (GDPR) compliance. The EU Representative is not required to be a legal professional, or data security professional.
However, given that the EU Representative may be required to communicate with data protection authorities and data subjects over a variety of issues, it would be beneficial for the EU Representative to have a good knowledge of GDPR regulations. In addition to this, your GDPR EU Representative should ideally have a good understanding of your company’s data services – what and how your company uses Data. The GDPR EU Representative would ideally have professional experience working with authorities in the areas of regulation and compliance.
On the 16th of November – 2018 – the European Data Protection Board confirmed that the controller/processor should:
“In accordance with Articles 13(1)a and 14(1)a, as part of their information obligations, controllers shall provide data subjects information as to the identity of their representative in the Union. This information shall, for example, be included in the privacy notice or upfront information provided to data subjects at the moment of data collection. A controller not established in the Union but falling under Article 3(2) and failing to inform data subjects who are in the Union of the identity of its representative would be in breach of its transparency obligations as per the GDPR.”
So, it should be clear in your Privacy Statement who your representative is and how they can be contacted.
Is a GDPR Representative the same as a DPO?
This “Representative” can be “a natural or legal person established in the EU who, designated by the controller or processor in writing pursuant to Article 27”. A legal person is an individual, company, or other entity which has legal rights and is subject to obligations. This should not be confused with the role of the Data Protection Officer (DPO). The GDPR assigns no major responsibilities to the EU Representatives.
Which EU country can a GDPR EU Representative be from?
The EU Representative must be established in one (only 1) of the EU Member States where the data subjects whose personal data the company processes are located. If the company is processing personal data from more than one EU country – then they can choose their preferred country.
The company must appoint the EU Representative “without prejudice” to legal actions that could be initiated against the company itself. Both the company and the EU Representative could be subject to enforcement proceedings.
In many cases, the EU Representative will be a 3rd party. It is probable that legal and corporate service providers will have experts providing this service to a number of companies. This is a new role and it will be interesting to see how it evolves.
The GDPR EU Representative is a Go-between
The EU Representative must serve as the contact point for all issues related to the company’s processing of personal data under the GDPR, including being a contact point for supervisory authorities.
It is the Data Controller and Data Processor that must ensure that their chosen EU Representative has good systems in place to receive communication from data subjects. If a data subject makes a Data Subject Access Request (DSAR) or if the relevant supervisory authority makes a request, it is imperative that the EU Representative responds to this as per the regulation.
On the 16th of November – 2018 – the EDPB confirmed what it expects of a GDPR EU Representative:
“With the help of a team if necessary, the Representative in the Union must, therefore, be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of an EU Representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU data controller or data processor.”
Legal Obligations of GDPR Representative
Like most aspects of the GDPR, this is unclear. Article 27 does state:
The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
This means that even if a Processor or Controller has a GDPR Representative – they are still accountable. You can outsource the role of the GDPR Representative, but you cannot outsource accountability. If the controller or processor do not appoint a representative, they can “be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”
How can PropelFwd help with this?
PropelFwd have an office in Dublin, Ireland and a separate business registered with the Irish Companies House called, Propeller Limited. This company will be available to act as your EU Representative complying with the requirements under the GDPR.
Propeller Limited uses the full team of PropelFwd and their expertise in all the Data Protection Laws they have gained over the years to provide you with the very best, professional service you could ask for.
Contact PropelFwd for a quote, or use the assessment tool available on the website to see if you need a Representative under Article 27 of the GDPR.
Under the UK GDPR, as it is known, there is now a requirement for a UK Representative under the exact same condition as the EU Representative. If you do not have an establishment in the UK and you offer goods and services to residents in the UK, for payment or not, you are legally required to appoint a UK Representative.
What is a UK representative GDPR?
The UK Representative has the same responsibilities as the EU Representative, to act as a point of contact for the data subjects, the ICO, and to how a record of data processing activities of the organisation and make them available upon request from the ICO.
Do I need a UK representative GDPR?
Yes, it is now a legal requirement if you do not have an establishment in the UK you must have a UK Representative if you offer goods and services to residents of the UK, for payment or not.
Who can I get to help with this?
PropelFwd works very closely with a company in the UK called DPAS (Data Privacy Advisory Service | Data Protection | Training | Consultancy). They offer the UK Representative service and have the same ethical qualities as PropelFwd when it comes to customer service, professionalism and extensive data protection knowledge.
Contact them to find out more about this service.