Under the EU General Data Protection Regulation 2016/679 (GDPR) almost every company established outside the EU, but which is processing the personal data of people living inside of it, has to designate a representative within the Union. However, what are the requirements to the representatives and who exactly needs one? These are the ﬁner points we are about to delve into further.
Anastasia Chiganov-Zalesskaia oversees IT/IP practice at Red Bishops, a boutique law ﬁrm. She holds a degree from HSE, she also studied law at Harvard Law School and University of London. Anastasia has a decade long practicing experience, both as an in-house counsel for top banks and tech companies and as a consultant in law ﬁrms.
What is GDPR and its focus?
GDPR has been effective for more than a year now, since May 25, 2018, and we have already seen a strain of news describing massive fines for non-compliance, mostly those within the financial services sector.
The importance of being GDPR compliant
In recent news, it has been reported that Ireland’s Data Protection Commission has concluded investigations into Facebook’s WhatsApp and Twitter over possible breaches of EU data privacy rules. Companies can be fined up to 4% of global annual revenues for breaching GDPR. For Facebook, that could mean a fine of more than 2 billion US dollars. But even if your business is not nearly a tech giant like Facebook the fine still can amount up to 20 million euros.
But not only tech giants get to deal with consequences of GDPR non-compliance: the GDPR first fine was issued to a school in Sweden that was processing sensitive personal data of its students. Overall, authorities of 11 countries have already introduced fines amounting to over 55 million euros in total. A business ignoring GDPR rules can also suffer a ban from the EU and face reputational damages after being labeled as a company that does not secure user data.
Let’s shortly refresh our memory of GDPR objectives and requirements.
How GDPR affects businesses
The primary goal of GDPR is to give data subjects understandable information on the types of their personal data being collected, how and why it is being processed by laying out requirements for consent and privacy notice. It also gives data subjects a handful of rights to access, change and even erase personal data retained by the controller or processor altogether.
GDPR also sets out rules on such issues as data storage requirements, handling of special categories of personal data and breach response procedure.
Here, we want to address the less discussed, but nonetheless important provision, that is a requirement for non-EU based data controllers and processors to designate a representative in the EU. As our recent experience working on international fintech projects has demonstrated, this requirement still raises multiple questions among businesses and further we will dig into some of them.
GDPR representative profile
The Nominated European Representative is a regional agent for your organization with regards to the processing of personal data. Choose carefully, as the Article 27 of GDPR states the following criteria to the candidates:
- designated in writing (on practice, appointed by a service agreement);
- an individual or a legal person;
located in one of the EU countries where the data subjects reside. So, having customers in Belgium, Germany and Sweden, means your representative can be in one of these states but not in France or Spain;
- indicated in the privacy note (policy) as a primary contact for data subjects in the EU and supervisory authorities, including the representative’s name, address and email.
Unlike a DPO, a designated representative does not need any specific legal training or certification in data privacy, however it must have sufficient knowledge in the area to negotiate the requests from data subjects and regulating authorities.
The main tasks of a representative
When choosing a European representative consider the following functions, they have to have the ability to fulfil and excel at.
The representative’s obligations are to act on behalf of the controller/processor in the EU, be an efficient point of contact. Thus, they are not responsible for the controller’s/processor’s obligations under GDPR. When it comes to data subject requests (SARs), it is not the representative’s job to fulfill them, but only to forward them to the obliged entity.
- Record Maintenance
GDPR states that it is representative’s duty to maintain a record of processing activities. The European Data Protection Board (EDPB) considers that the maintenance of this record is a joint obligation and that the designator must provide its representative with an accurate and updated information.
The representative is the face of your business in the region and have to reflect your ideas clearly, as well as diligently maintain records.
How non-compliance affects representatives
“The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves,” — GDPR Art. 27
EDPB clarified that though the designating processor or controller can be sued for non-compliance, the representative can also be held liable. One of the goals of the Article 27 was for the enforcers to be able to initiate legal action against the representative as well as the controller or processor. Therefore, applicable fines and penalties can be imposed on the representative as well as its designator.
However, the existing guidelines still seem unclear as there is no certainty whether the representative can be sanctioned for the designator’s misconduct. It is viewed though by many professionals that the representative can be only held liable for non-compliance with its own obligations, but not the ones of the controller or processor. Nothing left but to wait for the authorities to apply the aforementioned on a real case.
Who needs a representative
Unlike the previous EU Data Protection Directive of 1995, GDPR is not applied only to the entities registered and actually located in the European Union.It can affect any entity or individual worldwide. Any company that does not have an “established” EU presence and is involved in activities described further falls within the scope of Article 27 of GDPR.
“Establishment” implies an effective, real and stable activity. The legal form of such activity is, however, not the determining factor, be it a branch or a subsidiary with a legal personality(e.g. in some cases it can be having employees located in the EU).
The article 27 of GDPR sets up the requirement for non-EU based data controllers (persons that determine means and purposes of data processing) and processors (persons that actually process data). It states that companies established outside of the EU are required to nominate a EU representative if their processing activities include:
- the offering of goods or services, irrespective of whether a payment is required, to data subjects in the EU;
Basically, this means that as long as your services and goods are marketed to or clearly intended for people in the EU (not only citizens, but anyone physically located there), you will have to designate a representative. An example can be an online store with shipping to the EU countries, a website or mobile app available in European languages, or prices in EU currencies (euro, British pound sterling, etc.). Therefore, it is not always direct advertising or direct invitation to treat to the EU residents.
- the monitoring of their behaviour that takes place within the EU.
An example of behaviour monitoring can be processing videos from security cameras at the malls with an AI technology to obtain behavioral patterns of the customers, or gathering information of European data subjects’ usage behavior on a website.
It is worth noting that a designated representative in the EU is not viewed as an “establishment” of a company, or the fulfillment of a data protection officer (DPO) designation requirement .
When an EU representative is unnecessary
Article 27 of GDPR provides an exemption for the requirement. The controller/processor doesn’t have to nominate a EU representative when:
- processing is occasional and doesn’t include, on a large scale, special categories of data or personal data relating to criminal convictions and offences; or is unlikely to result in a risk to the rights and freedoms of natural persons;
- the controller/processor is a public authority or body.
While the second exemption is very straight-forward, the first point may need some breaking down. Ultimately, there are three requirements:
- the processing has to be occasional. There is no definition for occasional in GDPR, but authorities have defined “regular” (which is an opposite of occasional) so it can now be derived that, for instance, using employees’ data for payroll purposes is regular, therefore not occasional, as is using user’s details for online registration.
- there is no large-scale processing of special categories of data (such as race, political opinions, sexual orientation etc.) and data related to criminal convictions offences. Large-scale processing could refer to the number of data subjects concerned; the volume of data being processed; the duration, or permanence, of the data processing activity; the geographical extent of the processing activity.
- the processing is unlikely to result in a risk to the rights and freedoms of natural persons.
If any of above requirements are not met, you cannot be exempted from assigning a representative.
To sum up, if you are established outside of the EU, in order to be compliant with Article 27 of GDPR you need to:
- determine whether you are processing any data of the EU residents;
- confirm the intent of working with an EU-based person or a company located in a country you primarily operate, by signing a service agreement;
- incorporate representative’s contact details in your public privacy notice;
- regularly provide your representative with all the necessary records on data processing;
- work together with your representative on requests from authorities and data subjects.
Complying with the Article 27 may seem not as complicated as ensuring data subjects’ rights, nevertheless, when appointing a representative of your business under GDPR you should carefully consider their expertise in privacy issues and ability smoothly communicate with customers,users and local authorities.
For now, there is a range of representative’s services offers that are largely combined with legal and tech professionals services to create a package deal, which makes them extremely pricy. However, we expect the market to balance itself with more affordable offers in a foreseeable future. When it happens, businesses should be twice as diligent in choosing an appointee.