In May 2018, the General Data Protection Regulation, better known as the “GDPR”, came into force in the European Union. The GDPR applies to all European companies (residents), and, in some cases, even to companies located outside the EU (non-residents).
For example, some non-resident companies that collect or process personal data from persons within the European Union are required to appoint a representative in an EU country.
In this article, we will consider which companies are obliged to appoint an EU representative, who may act as such a representative, and a number of other issues related to this obligation.
Companies that export services to the EU often fall under the obligation to appoint a representative in the European Union. Among data protection specialists, this obligation is referred to as “hidden”, since many people simply do not know about it.
The appointment of a representative in the EU became relevant again after the European Data Protection Board (EDPB) issued the Guideline 3/2018 on the territorial scope of the GDPR, the last section of which is devoted to the EU representative appointment obligation. The EDPB is the EU body responsible for the harmonised application policy of legislation on the protection of personal data. Its explanations are actively used by EU data protection authorities in the application of the GDPR.
It should be remembered that personal data is any information that directly or indirectly identifies an individual (name, email, IP address, photo, etc.).
Who must appoint an EU representative?
An individual or legal entity that: (1) collects or processes personal data about individuals within the EU, (2) does not reside within the EU, and (3) offers goods or services or monitors the behaviour of individuals within the EU. All three conditions must be met simultaneously.
If the majority of data subjects whose data is collected or processed are located in the same EU member state, it is recommended to appoint a representative in that country. For example, if a US company without an establishment in the EU sells goods to consumers from Italy (20%), Spain (30%), and France (50%), it is recommended to appoint the representative in France.
However, there is an exception to the obligation to appoint an EU representative. A representative should not be appointed if the data processing is: (i) irregular, does not involve the processing of large amounts of special categories of data (e.g. race or religion) or data relating to criminal convictions and offences, and such processing (ii) is unlikely to result in a risk to the rights and freedoms of natural persons.
Processing is considered irregular if it (i) does not form a part of normal operations of the company and (ii) occurs under random circumstances and at random time intervals. For example, if a Chinese IT company holds a one-time conference in Berlin, for which it collects personal data of German citizens, it is not necessary to appoint a representative within the EU.
Who can be an EU representative?
A representative may be any natural or legal person who resides or is registered within the EU, such as an employee, consultant, agent, law firm, or any other company. A mandatory prerequisite for the appointment is the signing of a contract or other document since the GDPR requires the appointment to be “in writing”. One person can act as a representative for an unlimited number of non-residents at the same time.
It should be emphasised that, according to the EDPB’s Guideline 3/2018, a representative cannot simultaneously hold the position of the Data Protection Officer (DPO). Therefore, it is recommended to split the aforementioned roles. Otherwise, a supervisory authority may interpret such a combination as the absence of either the DPO or EU representative.
Duties of the representative
The EU representative acts as a contact point for non-residents in the EU. The representative may be contacted with any enquiries regarding non-residents’ compliance with the GDPR, e.g. requests from data subjects or supervisory authorities. In other words, the representative’s role is passive, as, in reality, it acts only as a referral point in the communications of the non-residents it represents.
The only “active” obligation of the representative is to maintain a record of processing activities. In fact, the EDPB considers it a joint obligation of any non-resident and their EU representative.
Liability of the representative
The appointment of a representative does not release any non-resident from their liability for violation of the GDPR and does not shift the liability to the representative. However, the GDPR left this question open, which has led to ambiguity with respect to the potential scope of the representative’s liability.
Since, as of now, there have been no legal cases in this regard, there were two theories concerning the scope of the representative’s liability for the violation of the GDPR:
- The first one was based on the fact that the purpose of fines is punishment for the offence. Therefore, if a representative has not breached its obligations (namely, contact with supervisory authorities and data subjects, as well as keeping records of processing activities), it should not be held liable in any way.
- The second opinion was based on a literal interpretation of recital 80 of the GDPR: that “the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.
In its Guideline 3/2018, the EDPB stipulated that a representative may be directly liable only if it violates its direct obligations under the GDPR, i.e. keeping records of processing activities and cooperation with EU supervisory authorities.
It is to be noted that the draft version of the GDPR expressly placed the liability of the representative on a par with any non-resident it represents. However, the EDPB decided that representatives must not be punished for mistakes they themselves do not make.
What if an EU representative is not appointed?
For the violation of the obligation to appoint an EU representative, an EU supervisory authority may impose a fine of up to EUR 10 million, or 2% of the global annual turnover for the previous fiscal year.
It should be noted that the actual amount of the fine for such a violation is likely to be far less than the maximum amount.
Liability without an EU representative
It may seem that the representative in the EU is the only way to hold a non-resident liable for a violation of the GDPR requirements.
In spite of the fact that the EU supervisory authorities indeed stake on this approach, there are other methods to fight against violators. One should not forget about the possibility of recognition and enforcement of foreign court decisions in the country of the controller’s or processor’s residence.
The GDPR itself is concise regarding the liability of controllers and processors located outside the EU. It is envisaged that the European Commission, as well as the EU supervisory authorities, should take the necessary measures to develop international cooperation mechanisms with respect to the implementation of legislation on personal data protection. This approach sounds like “we will deal with it later”.