If a company processes the personal data of EU residents, and is not established or have an office located within the European Union, it must appoint an official EU Data Representative.
However, if a company is primarily located outside of the EU but has a local office in an EU Member State, the local office holds the responsibility for fulfilling General Data Protection Regulation (GDPR) obligations. An example of this can be seen with the investigation that Facebook faced earlier this year in relation to a suspected GDPR breach. The investigation was carried out by the Irish Data Protection Commissioner as the European headquarters for Facebook is located in Dublin.
GDPR Obligations for EU Data Representatives
Since the new GDPR legislation became enforceable on May 25, 2018, the appointing of an EU Data Representative has become mandatory. The new legislation states that unless the processing of personal data is occasional, does not include processing of special categories of personal data or the processing of personal data relating to criminal convictions and offences, then a EU Data Representative must be appointed. If the company does not feel that an EU Data Representative is warranted, they must carefully document how they came to this decision.
Location of EU Data Representatives
The appointed EU Data Representative must be located in an EU Member State where the data subjects are situated. If the processing of data occurs in more than one Member State then the company is free to locate in whichever state they wish. That being said, it would make most sense to locate the company’s Representative in the state where they focus their targeting of EU data subjects and where they carry out the most processing of personal data.
Data Protection Officer
A Data Protection Officer (DPO) and an EU Data Representative are not to be confused with one another. A DPO’s main role is to ensure their Data Controllers and Processors comply with GDPR obligations. The DPO differs from an EU data representative as the DPO is an independent role, the EU data representative acts on the controllers or processors behalf. According to the new GDPR legislation was implemented, the EU Data Representatives communicate in the relevant local language and with the relevant local data protection authority of the data subjects.
Similar to an EU Data Representative, the appointment of a Data Protection Officer is mandatory under certain conditions of the GDPR legislation where the basis of the activities involve large scale processing or processing special categories of data. This applies the most public bodies.
Whether the appointment of a DPO applies to a company or not, it should document their justifications to either appoint a data representative or DPO and the contact details of both must be published and easily contactable by the data subjects and relevant data protection authority.
GDPR Penalties for EU Data Representative
If there is non-compliance of enforcement proceedings by the controller or processor, then an EU Data Representative would be subject to GDPR penalties. However, if it is the company which the EU Data Representative is appointed to that is found guilty of not following GDPR obligations, then the local data protection authority will initially commence an investigation of the company in question, not specifically the EU Data Representative.
Appointment of an EU Data Representative
Article 4 paragraph 17 of GDPR legislation states that “Any natural or legal person who resides in one of the EU Member States can be appointed as a representative in the Union for a non-EU-based company.” The legislation also states that the individual appointed must have a personal or business residence in an EU Member State where the appointing company processes the personal data of local residents.
The appointment of the individual who will take on the role of the EU Data Representative in your company shouldn’t be taken lightly. It is vital to ensure that the individual has residence in the correct EU Member State to ensure you are in compliance with GDPR obligations. A penalty is placed on any company that fails to comply with these obligations. Additionally, in the event of a GDPR breach, a penalty of up to €20m or 4% of annual global revenue (whichever amount is more substantial) is applied.