by Jim Ashton | Jul 7, 2018
Set up a representative for GDPR explains which organisations must appoint an EU representative. Whether the organisation is a controller or a processor makes no difference, all organisations that are outside the European Union and do business with any European Union resident or citizen must appoint a representative.
Purpose of this document
This Set up a representative for GDPR document sets out why organisations that are not in an EU country will need to appoint a representative and how to set up a representative.
- Controller: an organisations that determines how personal data is processed
- Processor: an organisation that process personal data under the instruction of a controller
- Representative: an organisation in an EU country acting on behalf of an organisation outside the EU that deals with people from the EU
- European Union resident or citizen: a person who is a citizen or resident of an EU country regardless of where they are at the time of processing
Set up a representative for GDPR
- UK organisations, prepare yourself for becoming a third country in March 2019.
- Non-EU organisations, prepare yourself for the GDPR.
What the GDPR says
GDPR Article 3, section 2
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
In everyday language, if you are not based in the EU but you deal with individuals in the EU, you need a representative. This requirement applies equally if you are a controller or a processor.
What is the impact of what the GDPR says?
The term that the EU used for a non-EU country is a "third country".
All countries, except for one, know whether they are or are not a third country.
Brexit will cause GDPR problems for the UK
The only country that is currently EU and will become a third country on March 29 2019 is the UK.
Brexit will cause UK companies problems.
All UK organisations that deal with individuals in or from the EU must have an appointed representative in the EU before March 29 2019.
What do I do if I don't want to set up a representative for GDPR in the EU?
You don't need to have a representative if you do not deal with any EU customers or companies. If you want to avoid setting up a representative, get rid of all of your EU customers and business contacts.
What happens if I ignore my representative obligations?
If you deal with EU customers and companies and do not set up a representative, this is a GDPR infraction that can lead to administrative fines up to 2% of your annual turnover or 10 million EUR, whichever is higher.
How do I instruct my representative?
You engage and instruct the representative via a written contract. The contract should contain the representative's tasks. Your representative's name must appear in your privacy notices.
What are the tasks of the representative?
The representative acts on your behalf. It maintains contact with the authorities and individuals. The representative can also be subject to enforcement proceedings in the event of your organisation's non-compliance. The representative is authorised to receive legal documents.
What skills does the representative need?
The role is separate from the role of a data protection officer. The representative is exactly that, it represents the controller or processor within the EU.
The tasks are sensitive and confidential and must be treated properly when dealing with supervisory authority requests or requests from individuals.
Your representative doesn't have to be a lawyer or an IT security expert A good representative must understand data privacy, how your data services work, is professional and reliable, and has good communication skills.
If I have an EU office can I use it?
Yes, multinationals are free to either use or open up a staffed and operational EU office where the representative is based.
If you cannot afford this, you should outsource.
Can I outsource the set up for a representative for GDPR?
Yes, as long as the chosen representative is based in an EU country where at least one of your customers or the companies you deal with is based.
- If you are an organisation based in a third country and you want to deal with the EU, you must have a representative in the EU.
- If you don't set up a representative and you deal with the EU, you run the risk of serious fines.
- The only way to avoid having a representative is to close down all your dealings with EU customers and businesses.
More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?