One of the mandatory requirements of the GDPR is the appointment of a permanent EU-based GDPR Representative Service for all companies, including US companies, that do not yet have any physical presence in the EU. This means that a US company with customers in the EU but without a physical presence in the EU is required by law to appoint a GDPR Representative. The primary reason for the creation of this new role is so that legislators in the EU can have direct access to companies that are located outside of the EU but who have customers living inside the EU. Even though the GDPR is now enforceable since May 2018, this mandatory requirement still comes as a major surprise for many US companies exporting to the EU.
Here are some fundamental questions that need to be considered in order to verify if your company might be required by law to appoint a GDPR Representative.
– Does your company provide services to customers in the European Union?
– Do you regularly process personal data of your customers who are based in the European Union?
– Is your company without a corporate office located in the EU?
If the answer to these three questions is yes, then your company may be required by law to appoint a GDPR Representative for all questions regarding data protection from EU citizens and data protection supervisory authorities in the EU. If you ignore this mandatory requirement you are taking the serious risk of being awarded substantial financial penalties, reputational damage to your brand and loss of market share to competitors in the EU marketplace.
What are the main responsibilities of the GDPR Representative?
– The EU GDPR Representative is appointed to act as the person on the ground in the EU to handle your customer GDPR related enquiries.
– The EU GDPR Representative is also appointed to act as the interface between your business and the EU national data protection authorities.
Is this GDPR Representative appointment really mandatory?
Yes, this requirement still comes as a major surprise for many US companies exporting to the EU. Many US companies exporting to the EU are still unaware that the GDPR Representative is mandatory in certain circumstances and that non-compliance can result in heavy penalties and reputational damage.
What value can the GDPR Representative create for your business?
In addition to complying with the GDPR regulation, the GDPR representative can also act as the eyes and ears for your business on the ground in the EU when it comes to monitoring the latest GDPR compliance developments. The new EU regulation will evolve quickly in the coming months and years. It’s important that your business is gathering the right level of market intelligence at the right time when it comes to the subject of GDPR compliance issues. The other value that this appointment can create for your business is the perception of trust in the eyes of your customers, prospects and partners.
A Perception of Trust
There is also the perception of trust in the eyes of your European customers, prospects and partners. The appointment of a GDPR representative will allow your business to communicate a clear message to the EU market that data privacy is an issue that your business is taking seriously. By appointing an EU GDPR Representative your customers and prospects will be left in no doubt that your business can be trusted to take care of any data privacy-related queries in a timely and professional manner.
GDPR Representative FAQs
What is a GDPR Representative?
The GDPR has created an important new role in the world of online data privacy regulation. The GDPR Representative must serve as the contact point for all issues related to a company’s processing of personal data under the GDPR. The GDPR Representative must also act as the contact point for GDPR supervisory authorities.
Do all US companies have to appoint a GDPR Representative?
No, only US companies that do not yet have a physical presence in the EU but companies that do regularly process EU customer data.
What is a GDPR Supervisory Authority?
Each member state in the EU provides an independent public authority that is responsible for the monitoring and application of the GDPR.
What article of the GDPR stipulates that a GDPR Representative must be appointed?
When should I appoint a GDPR Representative?
If your company is regularly processing data from customers who live in the EU and if your company does not yet have a physical presence in the EU then steps should be taken immediately to appoint a local EU GDPR Representative.
What are the penalties that will apply if a GDPR Representative is not appointed?
Penalties can equal EUR 10 Mio or 2% of the worldwide annual turnover apply if a processor or a controller does not comply with the obligation of appointing an EU representative.
What are the typical GDPR Representative tasks?
- Act as a GDPR point of contact between your company and the local supervisory authority in the EU. For example in the case of complaints from data subjects (i.e customers), the supervisory authority will need to be able to make contact with your GDPR Representative.
- Act a GDPR point of contact between your company and your data subjects (i.e your customers). For example, if your customers regularly wish to enforce their rights under the GDPR. This point of contact must also be provided in the local language of your EU customers.
- Act as the authorised person/organisation to receive legal GDPR documents on behalf of your company.
- Maintain records of data processing activities of your company in the EU. The GDPR Representative is required to have a clear understanding of what processing activities are taking place, failure to do so may result in unknowingly providing false information to the supervisory authorities.
- Make records available to the GDPR supervisory authority when requested. There is an obligation on the Representative to cooperate with the supervisory authority when requested.
- The GDPR Representative may be subject to enforcement actions by the regulatory authorities in the event of non-compliance.
What are the main considerations when appointing a GDPR services Representative?
The first consideration when appointing a GDPR services Rep is to examine the size of your customer base in the EU. A GDPR services Representative with limited resources and systems may not be a good fit for your business if you have a large and rapidly growing customer base in the EU.
The second consideration is to examine the geographic spread of your customer base across the EU. If your customers are widely spread out across the EU you may need to appoint a GDPR Representative that has strong and varied EU language capabilities.
The pace of growth of your company is also a subject that needs to be given some thought. The GDPR Representative service should be scalable enough to grow with your business as you take on more and more customers in the EU.
What if you just adopt a ‘wait and see’ approach and do not appoint a GDPR Representative?
This ‘wait and see’ approach would not be a good idea. The issue here is that is it very easy for both your EU customers and for the EU data regulators to see if you have appointed GDPR Representative or not. Your company privacy notifications will reveal exactly what your company position is regarding GDPR compliance. At best, ignoring the mandatory requirement could result in the loss of market share to competitors that have moved to appointed a GDPR representative. At worst, ignoring the requirement could attract attention from the EU regulators and result in significant penalties and/or reputational damage to your brand in the EU.
Does a GDPR Representative need to be appointed in each EU member state?
No, only one GDPR Representative is required to be appointed in the EU. However, careful consideration needs to be given to where you decide to appoint your Representative.
Does a GDPR Representative need to have multiple language skills?
There are 24 official languages in the EU. If customers are located across multiple countries in the EU then the answer to this question is yes. An EU GDPR Representative is required to communicate in the official languages where their client’s customers are located in the EU.
Is a DPO and a GDPR Representative the same thing?
No, a DPO and an EU GDPR Representative are two distinct roles in the eyes of the GDPR. A DPO can be considered as an internal GDPR compliance officer within an organisation. A GDPR Representative can be considered as an interface between an organisation and its EU customers and the EU supervisory authorities. The two roles should not be confused.
How do you inform your EU customers that a GDPR Representative has been appointed?
Once appointed, all contact information of the GDPR Representative should be included in all privacy notices issued by the non-EU based company. This notification information will leave EU customers (data subjects) and the relevant supervisory authorities in no doubt who to contact when it comes to data processing queries and GDPR compliance issues. These contact notifications will also give your EU customers that your company is taking GDPR compliance seriously and can be trusted when it comes to EU data privacy legislation.
How do the EU authorities describe the role of the GDPR Representative?
The European Data Protection Board (EDPB) has described its view of the role of the GDPR Representative as follows; “With the help of a team if necessary, the representative in the Union must, therefore, be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.”
GDPR Representative Service for US Companies
ComplianceJunction has teamed up with a market leading GDPR representative service for US companies that do not have a physical presence in the EU but who do have customers in the EU. We have co-designed this service specifically for US companies that wish to prepare for GDPR compliance but who do not wish to deal with the administrative headaches involved.
Our GDPR Representative service includes the following elements;
- Point of contact for your customers: As your local EU representative we will be the point of contact for your “data subjects” in all EU member states for all privacy issues.
- Point of contact for EU data protection authorities: We will legally represent you when interacting with EU data protection authorities.
- Processing: We will help establish and maintain your records of processing activities in the EU. If requested, we will provide these records to the data protection authorities.
The value that we can create for your business is;
- Peace of mind: Our professional service will give you the confidence that you have all the main areas of GDPR representation in the EU covered.
- Ease of doing business: Our dedicated service will ensure that you have to invest the minimum amount of time and resources.
- EU wide coverage: There are 28 EU member states in the EU that are home to over 500 million “data subjects”. We will have your business covered in all EU member states.
Three step process
Our GDPR EU Representative service is provided in a simple three-step process.
- Advice: We will start off by providing best practice advice to your management team on data processing in accordance with the GDPR.
- Audit: We will then conduct an audit of all personal data processing and relevant documentation in your organisation.
- Appointment: As soon as we have completed these preparation steps, our work as your EU GDPR representative can begin.