Did you know that if you sell to people in the EU but are not located there, you still need to appoint an EU representative? In this blog, we will dive into this in a bit more detail and cover:
- What is an EU representative?
- When/Why do you need one?
- What are the consequences of non-compliance?
- What are the responsibilities of the EU Representative?
- What do you need to do to appoint an EU Representative?
What is an EU representative?
An EU representative is the local point of contact for people and supervisory authorities in the EEA for companies established outside the EEA (EU countries plus Norway, Iceland and Lichtenstein). An EU representative is responsible for facilitating communication between the company they represent and the person who has been in contact.
When and why do you need one?
If you sell goods or services to people in the EEA, the simple answer is potentially you.
GDPR legally requires companies established outside the EEA (that sell to or monitor users within the EEA) to appoint an EU representitive.
So what does this mean in practice? Even if you don’t have offices or staff in the EEA, you still need an EU rep if you are selling to users in the EEA or monitoring their online behaviour.
Suppose your company has a permanent place of business in an EEA country. In that case, you do not have to appoint a GDPR representative.
You must note that a mailbox address or personal workspace does not fall into this category. Since the UK left the EU, this requirement also applies to UK companies that do not have offices in the EEA.
Similarly the establishment of UK GDPR means that a company that is not established in the UK but offers goods or services or monitors the behaviour of people in the UK needs to appoint a UK representative.
In this case, you may need to appoint an EU representative and a UK representative.
You can find more information of UK GDPR Representatives here.
Are there any exceptions to this requirement?
Yes, but the exceptions are limited. This requirement does not apply where:
- personal data with low sensitivity is processed on an occasional basis and is unlikely to result in a risk to the rights and freedoms of data subjects
- the company is a public authority or body
If these exceptions do not apply, then you are legally obligated to appoint an EU representative.
What are the consequences for non-compliance?
In short, this can result in a European Supervisory Authority imposing heavy fines.
There are two tiers of fines in the GDPR.
Less severe violations can result in fines of up to €10 million, or 2% of the company’s annual revenue from the previous financial year, whichever is higher.
More severe violations can result in fines of up to €20 million, or 4% of the company’s annual revenue from the previous financial year, whichever is higher.
Does this requirement apply to both Data Controllers and Data Processors?
Yes, it applies to both. Article 27 specifically states that where the situation outlined above applies, “the controller or the processor shall designate in writing a representative in the Union”.
What are the responsibilities of the EU Representative?
- The representative is the point of contact for data subjects and supervisory authorities in the EEA. They are responsible for facilitating communication between the company they represent and the person who has been in contact. Realistically, the representative will receive enquiries from your company’s customers and administrative notifications from local supervisor authorities.
- The representative works with the supervisory authority in the performance of their tasks.
- The representative is also responsible for retaining and managing records of processing activities for the represented company.
Are there any qualifications required to be an EU representative?
GDPR requires that the EU representative is based in one of the EEA countries where data subjects are located. Best practice guidance advises that the EU representative should be based in the country where “a significant proportion” of the data subjects are located. However, this is non-binding guidance.
But other than that, no specific qualifications are required of the EU representative.
That said, given the scope of the EU representative’s responsibilities and duties, it makes sense that they should have a comprehensive understanding of European data privacy legislation. Along with having experience in handling queries and requests from data subjects and supervisory authorities.
Can the DPO be the EU Representative?
No – According to the EDPB, a Data Protection Officer (DPO) is responsible for carrying out their assignments with complete independence. As such the DPO role is contradictory to the responsibilities of a representative, who is instructed on their tasks by the data controller/processor.
What do you need to do to appoint an EU Representative?
The company must designate in writing the appointment of the EU Representative. This means they must expressly appoint the representative and direct them in writing.
There are no additional requirements about the length, annulment, or termination of the appointment in the GDPR.
Practically speaking, the responsibilities of the representative may be designated and found in a service contract. This service contract demonstrates an EU representative’s tasks, functions, and powers. The represented company does not need to notify the supervisory authorities about their EU representative. Their data protection information (e.g. Privacy Policies) and processing activity records should include the EU representative’s name.