Do we need a representative in the EU?
GDPR requires businesses with no presence in the EU, but falling under the scope of the GDPR to appoint a representative in the EU. This article aims to throw light on what an EU representative is, who must appoint an EU representative and the differences between a DPO and a representative.
The GDPR is famous for its extraterritorial application, which basically means that it will apply not only to EU/EEA organizations but also to those located outside the EU/EEA if they meet certain conditions of the GDPR. According to the regulation, if an organization is not based (it does not have a branch, office or other establishment) in the EU/EEA, but still, either (i) offers goods or services to individuals in the EU/EEA; or (ii) monitors the behavior of individuals in the EU/EEA, then it still needs to comply with the GDPR regarding this processing.
If you are an organization with no base in the EU then you must appoint a representative in the EU. A representative will act on your behalf in relation to GDPR compliance matters, including dealing with supervisory authorities and data subjects.
Who can be a representative?
A representative may be an individual, or a company or organization established in the EU that is able to represent you regarding your obligations under the GDPR. It could be a lawyer, data protection expert, law firm, or consulting company.
You need to authorize the representative to act on your behalf in writing. In practice the easiest way to appoint a representative is by a simple service contract to carry out representative services.
When you don’t have to appoint a representative?
Even though GDPR requires organizations with no base in the EU to appoint a representative, it does, however, leave room for certain organizations to not appoint an EU representative if certain conditions are present. Consequently, you do not need to appoint a representative if either:
- you are a public authority; or
- your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offense data.
Location of the representative
An EU representative should be located in the EU country where the data subjects whose data they process are residing. If an organization processes personal data of data subjects located in various EU countries then it only has to appoint a representative in only one of them. When choosing the country the organization must take into account in which country it has the most data subjects.
For example, A consulting company is established and located in Canada with no offices in other EU countries. It has regular clients in Estonia, Malta and Belgium with most of the clients being located in Estonia. The company must appoint an EU representative to act as its direct contact for data subjects and EU supervisory authorities. This representative may be based in Estonia, Malta or Belgium, but not any other EU member state. However, since most of the clients are located in Estonia, it is recommended to appoint a representative in Estonia.
Are DPO and EU representative the same?
Sometimes the difference between an EU representative and a Data Protection Officer (DPO) is not clear for organizations. Some even consider the two roles being the same. In reality, it is not like that.
GDPR requires that DPOs must be able to perform their duties with a sufficient degree of autonomy within their organization. In particular, organizations are required to ensure that the DPO “does not receive any instructions regarding the exercise of his/her tasks”. GDPR Recital 97 states that DPOs, “whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”. On the other hand, there is no such a requirement of a sufficient degree of autonomy for EU representatives. The representative is subject to a mandate by an organization and will act on its behalf and therefore under its direct instruction.
Businesses that have no base in the EU shall analyze whether they fall under the scope of the EU representative requirement. If you do, you should look for an EU representative in the EU country or countries where your data subjects are located. You should appoint one representative in one country even if you have data subjects in multiple countries. There are service providers who provide EU representative services. In fact, EU representative service has recently emerged as a business model for many companies. You should also note that while it is recommended, it is not required to choose a representative that has a good level of expertise about the GDPR. The EU representative acts as a point of contact for data subjects and supervisory authorities and thus is not required to be an expert about the GDPR. It is the DPO that has to have a good level of expertise about the GDPR and data protection as this role is expected to help companies become GDPR compliant.
CPRA Data Retention
Unlike other data protection laws, such as the GDPR of the EU, the CPRA does not prevent you from collecting personal data freely without asking anyone. However, it doesn’t allow you to keep it longer than needed. This article will delve into the CPRA requirements for data retention.
CPRA and Employee Data: What You Need to Know
Under the CPRA, employee personal information is any information that could be used to determine who a person is and how they work. California employees have all the same rights guaranteed by the California Privacy Rights Act as any other consumer. Learn all you need to know about CPRA and Employee Data here.
Your users have the right to know what personal information is being collected about them, and they may contact you with a request to get information about how you handle personal information, ask you to delete it, transfer it to another company, or do something similar. Under the CPRA, you are obliged to respond to them. In this article, we explain how to comply with such consumer requests and the CPRA.