Organizations based outside of the EU or EEA, but subject to the GDPR, are required to appoint an EU representative (EU Rep), according to Article 27 GDPR. In practise, due to the various obligations to comply with the GDPR, the necessity of an EU Rep feels like a drop in the ocean and tends to be disregarded. However, that doesn’t mean you can’t get penalised for that – in May 2021 the Dutch Data Protection Authority imposed a €525,000 fine to Locatefamily.com for failure to appoint an EU Rep.
But what does this mean in practice? Who should be an EU Rep, and what are their duties? Let’s take a closer look.
When is an EU representative required under the GDPR?
Data controllers or processors, who are subject to the GDPR and they are not established in the EU, have the obligation to designate an EU Rep.
According to the GDPR (Recital 22), the establishment implies “the effective and real exercise of activities through stable arrangements.” For example, the stable presence in the EU of a single employee or agent of a non-EU entity could be sufficient to consider that an entity has an establishment in the EU.
This obligation to appoint an EU Rep does not apply when:
- The processing is occasional
- The processing activity does not include special categories of personal data and is not related to criminal convictions and offences
- The processing activity is unlikely to result in a risk to the rights and freedoms of the data subjects.
- Last but not least when we the EU Rep is a public authority or body
Where should the EU Rep be located?
The EDPB (European Data Protection Board) recommends that the EU Rep should be established in one of the Member States where the data subjects (whose personal data is processed) are located. If the data subjects are located across multiple Member States, it is recommended that the EU Rep will be located at the Member State with the highest volume of data subjects. In that case, however, the EU Rep must be easily accessible to all data subjects across all relevant Member States.
Designation of EU Rep
The EU Rep should be designated by a written mandate of the controller or of the processor (the Principal) to act on its behalf with regard to its GDPR obligations. The mandate is an official written commision, like a contract, between the EU Rep and the Principal (controller or the processor). The EU Rep can be a natural or legal person, like law firms or private companies. The GDPR says nothing against outsourcing the role and also one EU Rep can also act on behalf of several non-EU controllers and processors.
What is required by an EU Rep?
The GDPR requires 2 things from an EU Rep:
- To act as the contact point between its Principal and the data subjects and the DPAs, and cooperate with the DPAs with regard to any action taken to ensure compliance with the GDPR, and,
- to keep a copy of the Record of Processing Activities (RoPA) and document everything concerning the processing activities (Article 30 GDPR). Upon a DPAs request, the EU Rep shall provide any information that may be needed regarding the processing activity.
Apart from these direct obligations above, in practise the EU Rep assists its Principals with various tasks; for instance, the EU Rep could help with the notification obligation of the controller to the DPA in the event of a data breach. This could be the case for practical reasons as well, such as proximity to the DPA or the ability to communicate in the local language.
It should be noted that the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor and its designation does not affect the responsibility or liability of the controller or the processor.
What is the difference between an EU Rep and a DPO?
In practice many times there is a puzzlement between the two roles. Organisations that have the obligation to appoint both a DPO and an EU Rep tend to think that by only appointing a DPO they also “check the box” when it comes to the obligation of designating an EU Rep, and like that, killing two birds with one stone.
But this is not the case. The EDPB confirms that the function of the representative in the EU is not compatible with the role of an external DPO, which would be established in the EU. Let’s take a look at the differences of the two parties:
- Appointment: First of all, the EU Rep is a legal obligation for only the non-EU or EEA companies, which are processing personal data of EU data subjects or their processing activity takes place in the EU/EEA. The EU Rep needs to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located. On the other hand, the DPO is designated where the processing is carried out by a public authority or body; where the processing activities which are carried out by the controller or the processor consist regular and systematic monitoring on a large scale; where the processing activity concerns special categories of personal data or personal data relating to criminal convictions and offences.
- Role: A DPO advises and informs the companies on how to be compliant with GDPR. The DPO should be independent, impartial and objective as well as act with autonomy. In fact controllers and processors are required to ensure that the DPO doesn’t receive any instructions regarding the exercise of his/her tasks. On the other hand, the EU Rep is indeed subject to a mandate by a controller or processor and will be acting only on its behalf and therefore under its direct instructions.
- Relationship: EU representatives will always be external to their client-company, since it must be based in the EU as opposed to a DPO who could be someone internal or outsourced.
UK and Brexit
The Brexit case has made the EU Rep requirement really relevant. UK companies didn’t have to appoint an EU Rep in the past when monitoring or offering goods or services to EU data subjects. That changed the day after Brexit, since the UK is no longer a part of the EU. In the same logic, as the UK has the UK GDPR as national law, the requirement for a UK Rep is there for EU companies that offer goods or services in the UK or monitor UK data subjects but do not have an establishment in the country. Now, when it comes to non-EU/UK organisations that offer goods or services both in the EU and the UK or monitor EU and UK data subjects, they will have to appoint both an EU and a UK Rep.
Complications around the UK and lots of “ifs” can make it hard to determine whether you actually need a EU Rep. In short, you should keep in mind that:
- The EU Rep is relevant only if you are not established in the EU/EEA but the GDPR applies to you.
- The EU Rep is not the same as the DPO
- Pay special attention when it comes to the UK.