Anjali Chandarana looks at when and how to appoint a GDPR representative, particularly in the context of Brexit.
One of the novelties of the EU's data protection regime under the GDPR is its territorial scope. The GDPR explicitly applies to certain data processing operations even though the controller or processor may not have any presence in the EU.
Enforcing the GDPR against a business without an EU presence is a challenge for regulators. The GDPR deals with this by introducing a requirement for non-EU organisations caught by the GDPR, to appoint a representative.
The role of the representative is to act as a conduit between the non-EU controller or processor and relevant regulators and data subjects.
While UK organisations have not had to think too hard about representatives to date, Brexit is likely to change this. UK businesses which have no other establishment in the EU but which are within the GDPR's territorial scope will need to appoint a representative when the UK exits the EU (unless and until alternative arrangements are agreed).
Similarly, the UK government intends that after the UK exits the EU (excluding during any transition period), the UK version of the GDPR will require that a controller or processor located outside the UK, but caught by the UK GDPR, will be required to appoint a UK representative.
What is a representative and when do you need one?
A representative is a natural or legal person appointed to represent controllers or processors not established in the EU. To be established in the EU means you have a branch, representative office or other unincorporated presence there.
The GDPR imposes an obligation to designate a representative in the EU on any controller or processor without an establishment in the EU which processes the personal data of data subjects in the EU relating to offering goods or services, or monitoring their behaviour in there. This also extends to EEA countries.
There are exceptions to the requirement where:
- You are a public authority or body.
- Your data processing is only occasional, presents a low risk to data protection rights of individuals and does not involve special category or criminal offence data on a large scale.
Who can be a representative?
A representative may be a natural or a legal person established in the EU able to represent a controller or processor established outside the EU with regard to their obligations under the GDPR.
ICO guidance and draft EDPB guidance on territorial scope suggest that representatives could include law firms, consultancies and other private companies so long as they are established in the EU.
One representative can act on behalf of several non-EU controllers and processors. A representative should not, however, be an external data protection officer; the draft EDPB guidance suggests that the roles are incompatible and combining them would run the risk of a conflict of interest.
Appointing a representative
You must appoint your representative in writing, clearly setting out the terms of your relationship with them and including details of the representative's obligations The ICO and the EDPB recommend using a simple service contract (the representative will not become an establishment).
The GDPR says "the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are".
The EDPB draft guidance suggests that it is good practice to locate a representative in the Member State in which a significant proportion of data subjects whose personal data are processed are located. However, the representative must remain easily accessible to data subjects located in all relevant Member States and, with the help of a team if necessary, must be able to communicate in the languages of the relevant data subjects and relevant supervisory authorities.
When the function of representative is assumed by a company or any other type of organisation, a single individual should be assigned as a lead contact and person in charge for each controller or processor represented.
What is the representative's role?
The representative must act on behalf of the controller or processor it represents with regards to the controller or processor's obligations under the GDPR. In particular, it must:
- Perform its tasks according to the written agreement with the controller or processor, including cooperating with the competent supervisory authorities which may contact them in relation to any compliance matter.
- Facilitate the communication between data subjects and the controller or processor represented in order to make sure the exercise of data subjects' rights are effective (although they are not required to give effect to those rights themselves).
- Maintain a record of processing activities under the responsibility of the controller or processor in accordance with Article 30 GDPR. Guidance suggests maintenance of this record is a joint obligation and that the appointing controller or processor must provide its representative with all accurate and updated information so that the record can be maintained and made available by the representative.
Liability implications and information requirements
The designation of a representative does not affect the responsibility or liability of the appointing controller or processor under the GDPR. Enforcers are also able to initiate enforcement action against a representative in the same way as against controller or processors. This includes the possibility of imposing administrative fines and penalties, and holding representatives liable.
It is unsurprising that regulators can hold representatives liable for their own non-compliance with their GDPR obligations. What is more surprising is the suggestion in the recent draft EDPB guidance on the territorial scope of the GDPR, that representatives might be liable for the actions or inactions of the organisation which they represent:
"To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to [sic] impose administrative fines and penalties, and to hold representatives liable."
If representatives have such extensive liability, it may become hard to find someone willing to take on the role. It is clearly easier to enforce locally in terms of collecting financial penalties, but as the responsibilities of the representative are largely administrative, there will be a reluctance to take on such liability, even with contractual protections. We hope there will be greater clarity on this issue once the EDPB guidance is finalised.
Information about the representative should be provided to data subjects, for example, in your privacy notice or provided to data subjects at the moment of data collection. It should also be made easily accessible to supervisory authorities, for example, by publishing it on your website. However, there is no obligation to directly notify supervisory authorities.
Next steps for your business
- Will you have to appoint a representative after Brexit?> UK businesses may need to appoint a representative in the EU.> EU businesses may need to appoint a representative in the UK.
- If you need to appoint a representative in the EU, consider where they should be based.
- Put in place an appropriate service contract for that representative to act on your behalf setting out responsibilities and covering liability.