The Outsourced DPO was speaking with a customer yesterday afternoon about representatives in the context of Article 27 of the GDPR. The situation as it stands is this.
When do I need to appoint a representative?
If you are an organisation based outside the EU and provide goods or services into the EU whether or not payment is required for those services, or if you are monitoring the behaviour of data subjects in the EU then you need to appoint a representative in the EU. The requirement applies to both controllers and processors. So, if you’re operating a contact centre in Turkey providing out of hours phone coverage for EU organisations, or if you are an Australian based company providing goods or services to EU consumers – you need to appoint a representative in the EU.
With the implementation of the UK GDPR on 1st January 2021, the same rules above apply for processing activities within the UK undertaken from outside the UK. So, the Turkish and Australian companies referred to above will need to appoint a representative in the UK as well as a representative in the EU if they provide services etc. into the UK as well as the EU.
From 1st January 2021 in order to remain compliant with both the UK and EU GDPRs companies outside the EU and UK will need to appoint two representatives: one in the UK and one in the EU. Equally, unless a trade deal says otherwise, from 1st January UK companies servicing EU markets will need to appoint an EU based representative and visa versa: EU companies providing services etc. into the UK will need to appoint a representative in the UK.
If you are not sure whether you need to appoint a representative please reach out to us at dataprotectionpeople.com
What does a representative do?
A representative is appointed to act on behalf of a controller or processor with regard to certain obligations controllers and processors have under the EU GDPR and UK GDPR including co-operating with supervisory authorities with regard to regulatory action taken against an organisation. So, if the Outsourced DPO was acting as a representative for a German car-maker that was being investigated by the ICO for a breach of the PECR, the ICO would liaise with the Outsourced DPO and issue enforcement proceedings to the car-maker via the Outsourced DPO and the Outsourced DPO would, in turn, liaise with the car-maker. The EDPB have set out their thoughts about representatives in a guidelines document (https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf).
Who can act as a representative?
You can appoint a wide range of organisations to be your representative providing there is no conflict of interests. So, for example, you could appoint a law firm, a consultancy practice, a sole trader, or a private company. But you could not appoint a processor who acts on your behalf. If you are a UK company needing to appoint an EU representative, you can appoint them in any of the 27 Member States where you are providing services etc. So if you are providing services into Spain, Germany and Poland, you could appoint a representative in any one of those three countries, but you could not appoint a representative in the Republic of Ireland.
Are there any exemptions?
There are exemptions from the obligation to appoint a representative. Public authorities are not required to appoint one – a public authority in the UK being defined as an organisation listed in Schedule 1 of the Freedom of Information Act 2000. Both the FoIA and UK Data Protection Act 2018 are UK centric so public authorities in other countries won’t be caught by our definitions so unless the Secretary of State makes other provisions, it would seem that public authorities in other countries won’t be able to rely on this exemption. Public authorities in the UK will still be able to rely on the exemption set out in the EU GDPR.
Another exemption is where the processing is occasional, does not large scale processing of special category data or personal data relating to criminal convictions and offences and is unlikely to result in a risk to the rights and freedoms of natural persons. So for any routine, systematic processing that is not occasional, a representative must be appointed. Equally, where processing activities involve large-scale processing of special category data or personal data relating to criminal convictions and offences, a representative must be appointed. And finally, any processing which may result in a risk to the rights and freedoms of natural persons, for example, wide-spread monitoring, a representative must also be appointed.
What should I do now?
If you haven’t already assessed which countries you provide services or goods to you need to do that now. If your processing activities involve monitoring people’s behaviour you also need to perform that assessment. Then you need to see if any of the exemptions apply and document your decisions. If you do need to appoint a representative there are probably several routes you could take such as appointing a law firm, a consulting firm, a trade body etc.
What should I look for in a representative?
You need reliability, knowledge of the data protection laws in the jurisdiction in which they operate, and a defined method of working amongst other things. Appointing someone who cannot fulfil the basic requirements could be a disastrous and expensive mistake.