One of the lesser known obligations under the European Union General Data Protection Regulation, introducing in May 2018, is the appointment of a Nominated European Representative under certain conditions (as per Article 27 of the GDPR).
Organizations that wonder whether the GDPR applies to them, should answer the questions in the below option diagram:
If your company, group or organisation is based outside of the European Union and you are unsure whether or not you are obligated to appoint a Nominated European Representative consider the following questions.
- Does your organization have a legal entity currently established in the European Union?
- Does your organization have any other form of establishment in the European Union including any of the following?
- A website in an E.U. language
- An employee, branch or subsidiary based in the E.U.
- Hardware located in the E.U.
- Do you provide goods/services within the E.U.?
- Does your group track the online behaviour of European Union residents?
A positive answer in relation to any of these questions means that Article 27 is applicable and you need to designate a Nominated European Representative. Failure to do so would result in a financial penalty as high as €10,000,000 or 2% of annual global revenue for the previous year.
Who Should be Appointed as the Nominated European Representative?
The individual who is appointed must be a natural or legal person who resides in an EU Member State who will act as a guardian or gatekeeper for a group in relation to the processing of personal data.
The Nominated European Representative will act on behalf of the non-EU based company in relation to obligations under the GDPR, pursuant to Article 4(17).
The Nominated European Representative has three main duties:
- Maintaining records of processing activities for the non-EU based company. Your nominated European representative must ensure that your records of processing activities are a true representation of what is actually occurring.
- Answer to law enforcement agencies and supervisory authorities in the event of non-compliance by the designated data controller.
- The Nominated European Representative shall work with the local supervisory authority pursuant to Article 31 on request.
What is the Difference between a Nominated European Representative and a Data Protection Officer?
A nominated European representative under Article 27 and a Data Protection Officer under Article 37 have quite different roles, tasks, functions and duties.
It boils down to the following:
- A Data Protection Officer is the data protection authority within a company/organisation, who is charged with creating a compliance culture within that body and also police GDPR compliance
- A Nominated European representative is a local representative, external to the body who is not expected to create a compliance culture within your organisation/company
Basically the nominated European representative is the only contact point for anything problems that arise related to the processing of personal data in line with GDPR, including being a direct contact to any relevant supervisory authorities as well as for data subjects.