GDPR EU Representative Service
Companies based in the United States that have customers in the European Union may need to appoint an GDPR EU representative. The news is spreading across the US that GDPR requires companies who meet a certain criteria to appoint a GDPR representative within the EU. The GDPR has clear guidelines on who is legally responsible to make this important EU representative appointment.
If a company is
(a) Offering goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union;
or (b) monitoring of their behavior as far as their behavior takes place within the Union.
(c) And is not a public body
(d) And its data processing is not occasional.
(e) and even if it is occasional, the data processing it is engaged in doesn’t include, on a large scale, processing of special categories of data as referred to in Article 9(1) GDPR or processing of personal data relating to criminal convictions and offences referred to in Article 10 GDPR,
Unless the company fits into one of the above exemptions, any company meeting the description of (a) or (b) above is required to appoint a representative body in the EU.
The GDPR Representative requirement still comes as a shock to many US companies that have customers in the EU. The primary reason why the EU has mandated this requirement is to ensure that there is a direct line of communication between the EU privacy authorities and non-EU companies that do have EU customers but do not have a physical presence in the EU. This requirement is here to stay and it’s important that US companies put the appropriate steps in place to ensure that they are on the right side of this compliance requirement.
Get the fundamentals right
Before a US company makes this appointment or any other GDPR related appointment, it is vitally important that there is first and foremost a level of self-awareness with regards to where the company resides in the GDPR readiness scale. On a scale of one to ten of compliance readiness, it’s important for the company to understand where they reside on that scale before making any decision on appointments. This GDPR self-awareness assessment will also be highly relevant for any future CCPA and other data privacy compliance work that will be coming down the tracks in the near future. The following three items are essential building blocks that need to be put in place in order to achieve GDPR compliance.
Register of data processing activities
The register of data processing activities is a fundamental first step on any companies GDPR compliance journey. The register is a database or a large spreadsheet where a company documents every single data flow in the organisation. For each one of those data flows there must be an examination under approximately thirty headings. The data processing register is essentially a record of which personal data your business processes and who you share this data with. It is one of the first major milestones on the journey of becoming GDPR compliant and Not having one is, by itself, a trigger for a fine up to €10million. The register of data processing activities becomes the bible to allow the organisation to understand what data looks like in the company and is the product of the data mapping exercise that many people who are familiar with GDPR will recognise. The task of producing the register is the toughest nut to crack in getting ready for the GDPR. Once a company has properly completed this piece of work it is possible to answer the next two fundamental questions on the GDPR compliance journey.
Data processing agreements
The next fundamental questions to address is, does your company have written data processing agreements in place in respect of areas where your company sends data out of your organisation to a third party to process on your behalf? And do you have written agreements where your company receives data from a third party? For each of these data transfers in and out of your organisation, you will be required to have data processing agreement in place. The GDPR states that it is illegal to send personal data to third parties to process it for your business without a written data processing agreement. Similarly, as a business you cannot act as the processor of data controlled by a third party entity without a data transfer agreement in place either. These data transfer agreements need to be properly drafted and signed before any GDPR Representative work should commence.
A privacy notice is a public document that explains how your business processes personal data and how it applies data protection principles. A privacy notice should include information such as; What data your business collects. How your business collects your customer data. How your business will we use your customer data. How your business will store your customer data. It is also vital that a privacy notice is drafted and published prior to any GDPR Representative work begins
Only when these key building blocks are in place the next step is to begin to search for and appoint the right GDPR representative for your business.
What are the main functions of a GDPR Representative?
- The GDPR Representative is hired to act as the person on the ground in the EU to handle your customer GDPR related enquiries. Customers are legally entitled to submit a Subject Access Request (SAR). A SAR is the Right of Access allowing an individual to obtain records to their personal information, held by a company.
- The EU Representative is also appointed to act as the interface between your business and the EU supervisory authorities.
What is a GDPR Supervisory Authority?
Each member state in the EU has made an independent public supervisory authority available that is responsible for the monitoring and implementation of the GDPR.
When should a GDPR Representative be appointed?
If your company is regularly processing data from customers in the EU and if your company does not yet have a physical presence in the EU, then steps should be taken to investigate and appoint a local EU GDPR Representative.
Do all American companies have to appoint a GDPR Representative?
No, only American companies that do not yet have a physical presence in the EU and that regularly process EU customer data. If you are in doubt about whether your business is required to appoint a representative we strongly recommend that you seek legal advice on this subject.
What are the tasks of a GDPR Representative?
Act as a GDPR point of contact between your company and the local supervisory authority in the EU.
Act a GDPR point of contact between your company and your data subjects (i.e. your customers).
Act as the authorised person/organisation to receive legal GDPR documents on behalf of your company.
Maintain records of data processing activities of your company in the EU as per Article 30 of GDPR and where applicable.
Make records available to the GDPR supervisory authority when requested.
Does a GDPR Representative need to be appointed in every EU member state?
No, only one GDPR Representative is required to be appointed for each company. This follows the one-stop-shop mechanism under GDPR.
What is the one-stop-shop mechanism?
The One Stop Shop mechanism means that companies carrying out cross-border personal data processing activities will only have to deal with one supervisory authority and not multiple supervisory authorities at the same time.
Is a DPO and a GDPR Representative the same role?
No, a DPO and an EU GDPR Representative are two distinct roles in any organisation. A DPO acts as an internal GDPR compliance officer within a company. A GDPR Representative is the interface between a company and its EU based customers and the EU supervisory authorities.
How will your customers find out if your company has appointed a GDPR representative?
All the contact information of the GDPR Representative should be included in your company privacy notice. The information included in the privacy notice will leave your EU customers and the supervisory authority in no doubt who to contact when it comes to data processing queries and GDPR compliance issues.
If you require any help or assistance to make a decision on appointing a GDPR representative or any other advice covered on this page we will be delighted to help you.