Under certain circumstances, one of the requirements of GDPR is the appointment of a permanent EU-based GDPR Representative Service for all companies, including US companies, that do not yet have any physical presence in the EU. This means that a US company that processes personal data of customers in the EU for goods and services, but does not have a physical presence in the EU, may be required by law to appoint a GDPR Representative. This would also include where the company or organization is monitoring customer behavior in the EU.
The primary reason for this requirement is so that data protection authorities in the EU can have direct access to companies located outside the EU who have customers within the EU. Even though GDPR is now enforceable since May 2018, this requirement still comes as a major surprise for many US companies exporting to the EU. Here are some fundamental questions that need to be considered in order to verify if your company might be required by law to appoint a GDPR Representative.
– Does your company provide services to customers in the European Union or monitor customers behavior in the EU?
– Do you regularly process personal data of your customers who are based in the European Union?
– Is your company without a corporate office located in the EU?
If the answer to these three fundamental questions is yes, then your company may be required by law to appoint a GDPR Representative for all questions regarding data protection from EU citizens and data protection supervisory authorities in the EU. If you ignore this mandatory requirement you are taking the serious risk of being awarded substantial financial penalties, reputational damage to your brand and loss of market share to competitors in the EU marketplace.
The requirement applies to companies or organisation’s whether they be controller or processor under the GDPR. The controller determines the purpose and means around processing where the processor carries out processing on the controller’s behalf. The representative must be acting on behalf of the Controller or Processor and may be contacted by any European Data Supervisory Authority.
What are the main responsibilities of the GDPR Representative?
– The EU Representative is appointed to act as the person on the ground in the EU to handle your customer GDPR related enquiries.
– The EU Representative is also appointed to act as the interface between your business and the EU national data protection authorities.
Is this GDPR Representative appointment mandatory?
Yes, although there are several exceptions listed in Article 27. It is important that the GDPR does not define the term occasional processing however we can interpret it as once off and not regular processing, regular processing would include areas like payroll, ongoing financial relationships, behavior monitoring. The requirement for a representative still comes as a major surprise for many US companies exporting to the EU. Many US companies exporting to the EU are still unaware that the GDPR Representative is mandatory in certain circumstances and that non-compliance can result in heavy penalties and reputational damage.
What value can the GDPR Representative create for your business?
In addition to complying with the GDPR regulation, the EU representative can also act as the eyes and ears for your business on the ground in the EU when it comes to monitoring the latest GDPR compliance developments. The new EU regulation will evolve quickly in the coming months and years. It’s important that your business is aware of evolutions in case law with respect to GDPR. The other value that this appointment can create for your business is the enhanced trust in the eyes of your customers, prospects, and partners.
The appointment of a GDPR representative will allow your business to communicate a clear message to the EU market that data privacy is an issue that your business is taking seriously. By appointing an EU GDPR Representative your customers and prospects will be left in no doubt that your business can be trusted to take care of any data privacy-related queries and pursue compliance in a timely and professional manner.
GDPR Representative FAQs
What is a GDPR Representative?
The GDPR has created an important new role in the world of online data privacy regulation. The GDPR Representative must serve as the contact point for all issues related to a company’s processing of personal data under the GDPR. The GDPR Representative must also act as the contact point for GDPR supervisory authorities. This is a separate role to that of Data Protection Officer (DPO).
Do all US companies have to appoint a GDPR Representative?
No, only US companies that do not yet have a physical presence in the EU and regularly process large volumes of EU customer data.
What is a GDPR Supervisory Authority?
Each member state in the EU provides an independent public supervisory authority that is responsible for the monitoring and application of the GDPR.
What article of the GDPR stipulates that a GDPR Representative must be appointed?
When should I appoint a GDPR Representative?
If your company is regularly processing data from customers in the EU and if your company does not yet have a physical presence in the EU, then steps should be taken immediately to investigate and where necessary appoint a local EU GDPR Representative.
What are the typical GDPR Representative tasks?
- Act as a GDPR point of contact between your company, controller or processor, and the local supervisory authority in the EU. For example, in the case of complaints from data subjects (i.e. customers), the supervisory authority will need to be able to contact your GDPR Representative. The representative should be explicitly designated by a written mandate by the controller or processor.
- Act a GDPR point of contact between your company and your data subjects (i.e. your customers). For example, if your customers regularly wish to enforce their rights under the GDPR. This point of contact must also be provided in the local language of your EU customers.
- Act as the authorised person/organisation to receive legal GDPR documents on behalf of your company.
- Maintain records of data processing activities of your company in the EU as per Article 30 of GDPR and where applicable. The EU Representative is required to have a clear understanding of what processing activities are taking place, failure to do so may result in unknowingly providing false information to the supervisory authorities.
- Make records available to the GDPR supervisory authority when requested. There is an obligation on the Representative to cooperate with the supervisory authority when requested.
- The GDPR Representative may be subject to enforcement actions by the regulatory authorities in the event of non-compliance by the controller or processor.
What if you just adopt a ‘wait and see’ approach and do not appoint a GDPR Representative?
This ‘wait and see’ approach would not be a good idea. The issue here is that it is very easy for both your EU customers and for the EU data regulators to see if you have appointed GDPR Representative or not. Your company privacy notifications will reveal exactly what your company position is regarding GDPR compliance. At best, ignoring the mandatory requirement could result in the loss of market share to competitors that have moved to appoint a GDPR representative. At worst, ignoring the requirement could attract attention from the EU regulators and result in financial penalties and/or reputational damage to your brand in the EU.
Does a GDPR Representative need to be appointed in each EU member state?
No, only one GDPR Representative is required to be appointed in the EU. However, careful consideration needs to be given to where you decide to appoint your Representative.
Is a DPO and a GDPR Representative the same thing?
No, a DPO and an EU GDPR Representative are two distinct roles in the eyes of the GDPR. A DPO can be considered as an internal GDPR compliance officer within an organisation. A GDPR Representative can be considered as an interface between an organisation and its EU customers and the EU supervisory authorities. The two roles should not be confused.
How do you inform your EU customers that a GDPR Representative has been appointed?
Once appointed, all the contact information of the GDPR Representative should be included in all privacy notices issued by the non-EU based company. This notification information will leave EU customers (data subjects) and the relevant supervisory authorities in no doubt who to contact when it comes to data processing queries and GDPR compliance issues. These contact notifications will also give your EU customers that your company is taking GDPR compliance seriously and can be trusted when it comes to EU data privacy legislation.
How do the EU authorities describe the role of the GDPR Representative?
The European Data Protection Board (EDPB) has described its view of the role of the GDPR Representative as follows; “With the help of a team if necessary, the representative in the Union must, therefore, be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.”
GDPR Representative Service for US Companies
Compliance Junction has teamed up with a market leading GDPR representative service for US companies that do not have a physical presence in the EU but who do have customers in the EU. We have co-designed this service specifically for US companies that wish to prepare for GDPR compliance but who do not wish to deal with the administrative headaches involved.
Our GDPR Representative service includes the following elements;
- Point of contact for EU data protection authorities: We will legally represent you when interacting with EU data protection authorities.
- Point of contact for your customers: As your local EU representative we will be the point of contact for your “data subjects” in all EU member states for all privacy issues.
- Processing: We will help establish and maintain your records of processing activities in the EU. If requested, we will provide these records to the data protection authorities.
The value that we can create for your business is;
- Peace of mind: Our professional service will give you the confidence that you have all the main areas of GDPR representation in the EU covered.
- Ease of doing business: Our dedicated service will ensure that you have to invest the minimum amount of time and resources.
- EU wide coverage: There are 28 EU member states in the EU that are home to over 500 million “data subjects”. We will have your business covered in all EU member states.
Three step process
Our GDPR EU Representative service is provided in a simple three-step process.
- Advice: We will start off by providing best practice advice to your management team on data processing in accordance with the GDPR.
- Audit: We will then conduct an audit of all personal data processing and relevant documentation in your organisation.
- Appointment: As soon as we have completed these preparation steps, our work as your EU GDPR representative can begin.