The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If I am not “established” in the EU, do I have to have a registered agent that is within the EEA?
Answer: Maybe. There are two situations in which the GDPR purports to apply extraterritorially to companies that have no physical contact to the Union.
The first situation occurs when a company that is not based in the EU “offer[s] goods or services” to a person that is based in the EU. According to the GDPR, the regulation would attach even if the offer did not involve a financial transaction or payment.1 In other words, the GDPR might attach even if a company offers only a free service. That said, the regulation makes clear that merely having an internet website that is accessible to EU residents is not enough for the GDPR to attach.2 Something more must be present that demonstrates that a company “envisages” the offering of services into the Union.3
The second situation occurs when a company “monitor[s]” the “behavior” of someone “as far as their behavior takes place within the Union.”4 Although little administrative guidance exists concerning the scope of this extraterritorial “hook,” the EU Commission has suggested that the type of “monitoring” about which the regulation is concerned involves the behavior of individuals on the internet. Specifically the Commission stated that “[i]n order to determine whether a processing activity can be considered to monitor the behavior of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”5
If either of the above situations applies (i.e., your company offers goods or services to EU data subjects, or monitors the behavior of EU data subjects), the GDPR states that a company may be required to “designate in writing a representative in the Union.”6 The representative can be a person or an organization, but must be “established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.”7 Although the GDPR does not specify further who can, and cannot, serve as a “representative,” the regulation requires that the designated person or entity must have the authority to functionally accept service (i.e., be addressed) concerning any issue relating to processing that may arise from a supervisory authority (i.e., a data protection regulator in the EU) or from a data subject.8
The GDPR implies that the requirement that a representative be appointed does not apply, however, if each of the following criteria is met:
- The processing is “occasional”;
- The processing does not involve a “large scale” of “special categories of personal data” (e., health information) or information relating to criminal convictions; and
- The processing is “unlikely to result in a risk to the rights and freedoms of natural persons.”9