Golden Data
Published in

Golden Data

What is a ‘representative’ under EU data protection law?

Image from page 86 of “The typography of advertisements that pay : how to choose and combine type faces, engravings and all the other mechanical elements of modern advertisement construction” (1917) — IABI

NOTE: In order to fully understand the obligation to appoint a representative under EU data protection law it is necessary to understand the territorial scope of EU data protection law (see article on Territorial Scope here)

Data controllers or processors subject to EU data protection law but not established in the EU (that is, subject under the so call ‘targeting’ criterion of Article 3(2) of GDPR) are under the obligation to designate a representative in the Union unless the meet certain criteria. The representative may be a natural or a legal person established in the Union able to represent a data controller or processor.

In practice, the function of representative in the Union can be exercised based on a service contract concluded with an individual or an organisation, and can therefore be assumed by a wide range of commercial and non-commercial entities, such as law firms, consultancies, private companies, etc… provided that such entities are established in the Union. One representative can also act on behalf of several non-EU controllers and processors.

When the function of representative is assumed by a company or any other type of organization, it is recommended that a single individual be assigned as a lead contact and person “in charge” for each controller or processor represented. It would generally also be useful to specify these points in the service contract.

Key points:

(1) Non ‘established’ controllers and processors subject to EU data protection law are required to appoint a representative in the EU.

(2) The representative may be a natural or a legal person established in the Union

(3) The designation of such a representative does not affect the responsibility or liability of the controller or of the processor.

(4) The EDPB has taken the position that the function of representative is NOT compatible with the function of Data Protection Officer (DPO).

(5) The representative should be located in a Member State where the data subjects are located

(6) Controllers must inform data subjects of the appointment

(7) The responsibilities of the representative include facilitating the exercise of rights by data subjects, keeping records and facilitating communication with between the controller/processor and the data protection agencies.

(8) Supervisory authorities can initiate legal action against representatives including imposition of fines.

(9) The obligation to appoint a representative does not apply to low risk processing where the processing is occasional, not at large scale and does not including special categories of data or information relating to criminal convictions OR to public bodies

Article 27 of GDPR states that:

1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

2. The obligation laid down in paragraph 1 of this Article shall not apply to:

(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

(b) a public authority or body

3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

It is important to note that a controller or processor not established in the Union who has designated in writing a representative does not fall within the scope of article 3(1) (that is to say, the presence of the representative within the Union does not constitute an “establishment” of a controller or processor under Article 3(1). [1]

The appointment of a representative does not affect the responsibility or liability of the controller or processor. However, the concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, GDPR enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.

The EDPB has taken the position that the function of representative is not compatible with the role of an external data protection officer (“DPO”). Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organization. In particular, controllers or processors are required to ensure that the DPO “does not receive any instructions regarding the exercise of [his or her] tasks”. Recital 97 adds that DPOs, “whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner”. Such requirement for a sufficient degree of autonomy and independence of a data protection officer does not appear to be compatible with the function of representative in the Union, which subject to a mandate by a controller or processor and will be acting on its behalf and therefore under its direct instruction.

While the GDPR does require controllers/processors or the representative to notify the designation to a supervisory authority, controllers must inform data subjects of the appointment of a representative (in accordance with Articles 13(1)a and 14(1) -information obligations- controllers must provide to data subjects information as to the identity of their representative in the Union). Such information should furthermore be easily accessible to supervisory authorities in order to facilitate the establishment of a contact for cooperation needs.

Example:

A website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany.

This website being subject to the GDPR, as per its Article 3(2)(a), the data controller must designate a representative in the Union. The representative must be established in one of the Member States where the service offered is available, in this case either in the UK, France, Belgium, Netherlands, Luxembourg or Germany. The name and contact details of the data controller must be part of the information made available online to data subjects once they start using the service by creating their photo album. It must also appear in the website general privacy notice.

The representative shall be “established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are” (Article 27(3)). In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice, that the representative is established in that same Member State. The representative must remain easily accessible for data subjects in Member States where it is not established and where the services or goods are being offered or where the behaviour is being monitored.

Example:

An Indian pharmaceutical company, with neither business presence nor establishment in the Union and subject to the GDPR as per Article 3(2), sponsors clinical trials carried out by investigators (hospitals) in Belgium, Luxembourg and the Netherlands. The majority of patients participating to the clinical trials are situated in Belgium.
The Indian pharmaceutical company, as a data controller, shall designate a representative in the Union established in one of the three Member States where patients, as data subjects, are participating to the clinical trial (Belgium, Luxembourg or the Netherlands). Since most patients are Belgian residents, it is recommended that the representative is established in Belgium. Should this be the case, the representative in Belgium should however be easily accessible to data subjects and supervisory authorities in the Netherlands and Luxembourg.
In this specific case, the representative in the Union could be the legal representative of the sponsor in the Union, as per Article 74 of Regulation (EU) 536/2014 on clinical trials, provided it is established in one of the three Member States, and that both functions are governed by and exercised in compliance with each legal framework.

The representative in the Union acts on behalf of the controller or processor it represents. The obligations of the representative include:

  • While not itself responsible for complying with data subject rights, the legal representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights are effective.
  • As per Article 30, the controller or processor’s representative shall in particular maintain a record of processing activities under the responsibility of the controller or processor. The controller/processor shall provide to the representative with all accurate and updated information so that the record can be maintained and made available by the representative.
  • As clarified by recital 80, the representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of a controller or processor established outside the Union, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and a controller or processor established outside the Union. With the help of a team if necessary, the representative in the Union must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.

Exemptions from the designation obligation

There are two exemptions to the obligation to designate (Article 27(2) GDPR):
(1) processing is “occasional”, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10”, and such processing “is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing”. [2]

(2) processing is carried out “by a public authority or body.

End notes

[1] Recital 80 clarifies that “[t]he representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.”

[2] While the GDPR does not define what constitutes large-scale processing, WP29 has recommended in its guidelines WP243 on data protection officers (DPOs) that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale: the number of data subjects concerned — either as a specific number or as a proportion of the relevant population; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; the geographical extent of the processing activity.

Resources:

Citations

GDPR Article 27 + Recital 80 and Article 83.(4)

Enforcement

Dutch DPA Fines Company 525,000 EUR for Failure to Designate EU Representative — Posted on May 19, 2021 to Hunton’s blog

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Golden Data Law

Golden Data Law

323 Followers

Golden Data Law is a mission driven benefit corporation that provides legal services to the not-for-profit community and to governmental agencies.