Europe’s General Data Protection Regulations have had a significant impact on businesses both inside and outside of the European Union. One of the most critical changes for international organisations is the stipulation that they must appoint a representative within the EU if they process data of EU residents but do not have a branch of the organisation based within the EU’s borders.
This requirement-outlined in GDPR’s Article 27-hopes to grant the EU more powers to regulate foreign companies working within the EU through their representative. The EU may find it challenging to enforce GDPR on organisations based abroad; otherwise, even if they fall under GDPR’s scope.
Data controllers have been required to have a designated representative based in the EU since 1995, under Article 4 of Directive 95/46/EC, which states each “controller must designate a representative established in the territory of [a] Member State” where such controller “makes use of equipment, automated or otherwise, situated on the territory of the said Member State …” Article 27 of the GDPR expand the requirements to processors. It further removes the requirement that equipment must be located within a Member State.
Who has to designate a representative?
In the vast majority of cases, an organisation that is covered by GDPR but does not have a base within the EU (such as a branch or a subsidiary) is required to designate a representative.
For example, if a US company which collects the data of EU citizens operates a subsidiary company in Ireland, the organisation does not need to designate a representative under GDPR. However, if the US company is based entirely outside of the EU, but collects personal data of EU citizens, it must designate a local representative.
In some circumstances, organisations can become exempt from the representative requirement. If the organisation ’s data processing activities are occasional, or does not include, on a large scale, processing of special categories of data and is unlikely to result in privacy intrusions, then they may not have to designate a local representative. Special categories of data include personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation.
For example, a US company that offers services to EU-based companies may be exempt from the local representative requirement, as they do not collect the data of EU citizens, only companies. However, a US company that sells products or services to EU citizens would need to appoint a representative, as each transaction would result in the company collecting the private information of individuals.
Article 27 stipulates that public authorities or bodies are not required to appoint a GDPR representative.
Responsibilities of a GDPR Representative
The representative represents the non-EU based company concerning obligations under the GDPR (Art. 4(17)). The representative is identified in privacy notices of the non-EU
based company (Art. 13(1)(a) and 14(1)(a)). They may be addressed in addition to or instead of the non-EU based company. For example, a supervisory authority may communicate with a GDPR representative instead of the non-EU company on issues relating to data processing issues.
The representative must record the processing activities for the non-EU based company ( Art. 30). Moreover, the local representative shall “cooperate” with the supervisory authority for any issues that may arise (Art. 31).