Mar 26, 2020 12:00:00 AM | Are you a Non-EU company? Eight things to know about the obligation to appoint an EU (GDPR) representative

A significant part of non-EU Companies (controllers and processors) established outside the EU to which EU General Data Protection Regulation (GDPR) extends its applicability, may still be unaware that in addition to their obligation to comply with the GDPR, they must also appoint an EU Representative. It is of the outmost importance that the obligation to appoint an EU Representative receives the required attention, as failing to do so is itself a straightforward violation of GDPR. The concept of the Representative was introduced with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against non-EU companies that need to comply with GDPR.

Here is what you need to know about the EU Representative requirement:

1. Non-EU Companies offering goods or services to EU residents, or monitoring their behavior need to appoint an EU Representative

Under Art. 27 of the GDPR, Companies established outside the EEA and with no establishment in the EU must appoint an EU Representative if they provide goods or services to EU Residents or monitor their behavior. These companies are also obliged to comply with GDPR.

When a non-EU Company has an intention to establish commercial relations with EU customers, it is deemed as a Company offering goods or services to EU residents.  Some indicators of this intention are the use of languages of EU Member States on its website, payments in a currency of an EU Member State, marketing activities directed to EU customers, delivery of goods in EU Member States, addresses or phone numbers to be reached from an EU Member State, and references to customers or users who are in the EU.

Non-EU Companies monitor the behavior of individuals located in the EU when they track natural persons on the internet or through wearables and other devices, including online tracking through the use of cookies, CCTV, geo-localization activities and behavioral advertisement.

However, Article 27 (2) of the GDPR provides some exceptions to this obligation for public bodies and non-EU Companies whose processing:

• is unlikely to appear risks to the rights and freedoms of EU data subjects

2. EU Representative acts as a local point of contract for individuals and data protection authorities

Under Article 27(3) of the GDPR, the Representative is designated in order to be addressed in addition to or instead of your Company by data subjects or EU Data Protection Authorities. The EU Representative acts as the liaison between your Company and the individuals as well as the Data Protection Authorities on all issues related to data processing, for the purposes of ensuring compliance with GDPR. Your record of processing activities with regard of personal data of EU residents has to be maintained by your Representative.

The EU Representative may also be involved in enforcement proceedings which could be initiated against the controller or the processor. It has been made clear, however, by the revised Guidelines 3/2018 of the European Data Protection Board (EDPB) that the GDPR does not establish a substitutive liability of the EU Representative in place of the Company it represents.

3. EU Representative can be a natural or legal person located in the EU

Your EU Representative can be a natural or legal person located in one of the  Member States where the data subjects, whose personal data are processed in relation  to the offering of goods or services to them, or whose behavior is monitored, are.

The EU Representative’s role is usually fulfilled by privacy experts with professional knowledge of the GDPR as it is required that the Representative must be able to represent the non-EU company with regards to their respective obligations under GDPR

4. You must appoint your EU Representative in writing

The designation of the EU Representative must be in writing and govern the relationship between the EU Representative and the non-EU company, while not affecting the company’s responsibilities or liabilities.

5. The EU Representative’s identity and contact details must be accessible to your customers and the data protection authorities

It is necessary that the identity and contact details of your EU Representative are easily accessible to the Data Protection Authorities and your customers. You must make sure that at the moment of the data collection, data subjects are informed of the identity of the EU Representative, for example, through the Privacy Notice.

6. The EU Representative’s role differs from and is incompatible with the Data Protection Officer’s role

The EU Representative and the Data Protection Officer (DPO) assume different responsibilities according to the GDPR. The DPO’s responsibilities include, among others, performing compliance audits, educating the personnel on the Company’s GDPR policies and practices, and handling data subject’s requests. The DPO actively contributes to the Company’s efforts to comply with the GDPR, however, the EU Representative acts as a contact point and its main responsibility is to facilitate the communication between the non-EU Company and the EU.

The different roles of the DPO and the EU Representative should not be assumed by the same person since a conflict of interest could arise given that a  DPO has to perform its tasks in an independent manner whereas the EU Representative performs its tasks according to the mandate/direct instructions received by the Company. Also, there is a possible conflict of obligation and interests in case of enforcement proceedings.

7. You don’t need to identify a Lead Supervisory Authority

As stated in the Guidelines on the Lead Supervisory Authority adopted by the Article 29 Working Party in April 2017, the GDPR’s mechanism for the Lead Supervisory Authority only applies to controllers with an establishment in the EU. If the Company does not have an establishment in the EU, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. This means that controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

In addition, the revised Guidelines 3/2018 of EDPB mention that the EU Representative can act in all Member States, and the concept of a Lead Supervisory Authority does not apply in case of non-EU companies.

8. Risk of heavy fine if you don’t appoint an EU Representative

If you do not comply with your obligation to appoint an EU Representative, you are running the risk of getting a fine of up to €10 million or 2% of the worldwide annual turnover.