If your business is located outside of the European Union, GDPR compliance may seem like a murky and confusing process. Indeed, some of its stipulations are more than a little perplexing.
One of these vague and much-debated conditions is set by Article 27, which states that certain businesses outside of Europe will be required to appoint a Data Representative (not to be confused with a Data Protection Officer) within the EU.
Which businesses will this apply to, and how does it work? These are the questions that this article seeks to address.
GDPR Article 27
Since the GDPR applies to any business in the world that holds or will hold personal information on EU residents, the GDPR's jurisdiction is virtually global. Article 27 addresses non-EU-based companies and has many business owners scratching their heads.
This is what it says:
According to the article text, any business outside of the EU that offers its goods and services to EU residents, or collects and monitors information about those residents, will be required to appoint an EU-based Representative located in an EU Member State where they offer their services.
There are some exceptions, such as:
- Businesses that only process EU user data occasionally
- Businesses that do not process sensitive user data
- Businesses that do not process data about criminal convictions or offenses
- Businesses that do not process data in a way that risks the rights and freedoms of EU residents
- Businesses that are considered a public body or authority
You may notice that all of the above exceptions are pretty specific, except for one.
A business that only "occasionally processes EU user data" would not need an EU Representative, but how does one interpret the term "occasional" in this context? No one seems to have a consistent answer to this question.
According to attorney Clarissa Benner of Dot Magazine, Article 27 only applies to companies that employ "large-scale systematic monitoring of {EU} data subjects," while other sources claim that "occasional" could be determined as less than 5% of a company's customer base.
In short, it seems that there is no exact definition of "occasional processing." However, when it comes to following international regulations like the GDPR, it is advisable to err on the side of too much rather than too little compliance.
If in doubt, hire an EU Representative, at least until there is more legal precedent to light the way.
Responsibilities of an EU Data Representative
The primary responsibility of the EU Representative is to serve as liaison between the offshore company and:
- Data Protection Authorities (DPAs) in the EU
- Data subjects located in the EU
Basically this individual would serve as your main point of contact for anyone in the EU. Most of their day-to-day activities would consist of responding to inquiries from data subjects or DPAs concerning data processing.
A few other responsibilities of the EU Representative may include:
- Receiving and/or sending legal documents as an agent of your enterprise and keeping records of data processing activities
- Providing data processing records to supervisory authorities upon request
- Acting as a legal representative in court proceedings if the company is deemed noncompliant with the GDPR
The Difference Between an EU Representative and a Data Protection Officer
These two job positions are very different.
Data Protection Officer - The DPO will be responsible for advising a business on GDPR compliance and proper data protection and security protocols. This position could be either an employee of the business or an outside contractor, but the role must be performed independently of other jobs or tasks. The DPO will not be held legally responsible for GDPR non-compliance or data breaches.
Businesses must appoint a DPO if:
- They are a public authority, except for government-affiliated courts
- Their core activities include large-scale, systematic monitoring of individuals in the EU
- Their core activities include gathering data about criminal convictions and offenses
EU Data Representative - This role is simply a point of contact for data subjects (users and customers) and GDPR supervisory authorities in the EU. The Representative will act as a liason or legal representative for your company in Europe, and may be held responsible as your legal contact in the EU in the case of GDPR noncompliance or infringement of user privacy.
The DPO is considered an employee or contractor of the business it works with and remains exempt from legal allegations from EU supervisory authorities. An EU Representative, on the other hand, is a legal spokesperson for the business and may be included in any allegations set in motion by supervisory authorities.
Can the Same Person Serve as Both DPO and EU Representative?
Many business owners confuse the two titles as existing in similar roles and hope to kill two birds with one stone by hiring the same person to do both. However, one entity performing both roles can create a conflict of interest.
First of all, a DPO's loyalty lies with the business he consults or works for, seeking to improve compliance and limit liability. Since the DPO acts independently and cannot be convicted of GDPR infringement, they can do everything possible to protect the business without fear of legal allegations.
The EU Representative, however, must put the needs and expectations of EU data subjects and the GDPR supervisory authority before all else. Since they may be held responsible for the privacy infringements of the business they represent, the Representative will do everything they can to protect the data subjects in question, but may not be able to limit the liability of the business they work with at the same time.
Therefore, a conflict of interest may occur if the same person or team attempts to fulfill both roles. Ideally, if a business requires both a DPO and an EU Representative, they will appoint two separate entities to fulfill the two seperate positions. This will ensure that all bases are covered legally in case of any future privacy disputes.
Considerations When Appointing an EU Representative
Although the GDPR does not designate exactly who can be an EU Representative or how to go about appointing one, it does present a few requirements:
- The designation of an EU Representative must be established in writing.
- The Representative must reside in an EU Member State where one or more of the business's data subjects reside.
- The business must publicly post contact details of the EU Representative on its website or mobile app.
- The Representative must be prepared to act as the contact point for all communications between GDPR supervisory authorities and EU data subjects.
- The Representative must be prepared to share in any allegations or legal proceedings that result from GDPR noncompliance or privacy infringement on the part of the business.
The points above are not the only criteria to consider. Your EU Representative will be your primary mode of communication with EU authorities and data subjects. They may also interpret mandates or advise you on GDPR compliance, so there will be a few more specific qualifications to look for:
- The EU Representative should be well-versed in GDPR policy and all other applicable privacy laws. A lawyer or representative of a privacy law firm may be ideal.
- The Representative should be able to communicate with both the data subjects and the supervisory authorities within any Member States that your data subjects reside. This implies that your Representative or representation firm may need to speak multiple languages.
- Since the EU Representative may be required to share legal responsibility in the case of GDPR infringement on the part of your business, choose one with the appropriate liability insurance.
Because of the range of considerations above - particularly language barriers - a popular option for businesses outside of the EU is to hire a firm or law office as the EU Representative. In this way, the business benefits from having an entire team to work with, potentially representing multiple languages, multiple presences throughout different EU Member States, and multiple types of expertise within the EU legal network.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.