If your company is not established in the European Union, however, processes the personal data of EU residents and does not have an office located in the European Union, you must appoint an official EU Data Representative.
This is different to companies primarily located outside of the European Union but with a local office in an EU Member State. In such a case the local office holds the responsibility for fulfilling General Data Protection Regulation (GDPR) obligations. For example, earlier this year when Facebook faced an investigation about a suspected GDPR breach the Irish Data Protection Commissioner carried out the investigation as the European headquarters for the social media company is located in Dublin. You can read more about that story here.
EU Data Representative and GDPR Obligations
Appointing an EU Data Representative is mandatory since the new legislation became enforceable on May 25, 2018. The GDPR text states that a representative should be appointed, unless the processing of personal data is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons. However, your company or organisation must carefully document how it came to the decision that an EU Data Representative was not warranted..
Where Should an EU Data Representative be Based?
The EU Data Representative that you appoint must be located in an EU Member State where the data subjects whose personal data the company processes are situated. Should you process data in more than one EU Member State you are free to choose where the individual you appoint is based. In most cases, however, the ideal jurisdiction for the representative would be the one where your company has the most EU data subjects, focuses its targeting of EU data subjects and where it carries out the most processing of personal data..
EU Data Representative vs Data Protection Officer
A Data Protection Officer (DPO) and an EU Data Representative are not the same positions. DPOs are charged with ensuring their Data Controllers and Processors adhere with GDPR obligations. The DPO is an independent role whereby the EU data representative acts on the controllers or processors behalf. The EU Data Representatives communicate in the relevant local language with data subjects and the relevant local data protection authority. In other words, a US company which manages the data of individuals located in Ireland might have a DPO based in the US. In tandem with this, under GDPR legislation, they must have an official EU Data Representative in Ireland who can liaise with local data subjects and the Data Protection Authority in Ireland.
The appointment of an EU Data Representative is mandatory under GDPR for these companies not established in the union but processing the personal data of data subjects in the union. The appointment of a Data Protection Officer is also mandatory under certain conditions where core activities involve processing on a large scale or processing special categories of data and also for most public bodies..
In all cases, a company should document their justifications to appoint either a data representative or DPO and the contact details of both must be published and easily contactable by the data subjects and relevant data protection authority.
Is the EU Data Representative Subject to GDPR Penalties?
The short answer is yes, but only where there is non-compliance of enforcement proceedings by the controller or processor. In the event that the company which appoints the EU Data Representative is found guilty of breaching GDPR obligations then the local data protection authority will initially commence an investigation of that company and not the EU Data Representative specifically.
Appointing an EU Data Representative
As per article 4 paragraph 17 of GDPR legislation “Any natural or legal person who resides in one of the EU Member States can be appointed as a representative in the Union for a non-EU-based company.” In addition to this, the legislation states that the individual appointed must have a personal or business residence in an EU Member State where the appointing company processes the personal data of local residents.
It is vital that your company appoints the correct individual, located in the correct EU Member State, in order to ensure that your company is in full compliance with GDPR. Should your company fail to do so it may face a penalty, or in the event of a GDPR breach, a penalty of up to €20m or 4% of annual global revenue – whichever figure is higher.
Author Profile: Michael Cryan, DPO, GDPR Specialist
Michael Cryan is ComplianceJunction’s subject matter expert for GDPR. Michael is responsible for tracking the evolution of GDPR as the new regulation is interpreted and implemented, including tracking case law as it evolves. Michael has 18 years of International experience and is trilingual. Michael Cryan is a certified Data Protection Officer (DPO) with the Association of Compliance Officers in Ireland (ACOI). Michael has also prepared a training module on GDPR and has in the past delivered training courses in Ireland, the UK, Canada, and France.