Data Protection Law
What is a “European Representative” and do you need to appoint one? We have received lots of marketing from businesses in France, Germany and other members of the EU encouraging us to sign up to their European Representative Office service so that we can be compliant with GDPR. This article covers the role of the European Representative and addresses the question about whether you need to appoint one now or later.
Do organisations need to appoint a European Representative right now?
Do organisations need to appoint a European Representative in the future?
If you are a UK business offering goods or services to individuals in the European Economic Area (EEA) then, after the Brexit transition period ends (31 December 2020), you may need to appoint a European Representative in the EEA because the UK will no longer be within the EEA. This representative would act as the point of contact for your data subjects within the EEA as required by Article 27 of the General Data Protection Regulation (GDPR).
See below for the specific circumstances in which this requirement exists.
The UK left the EU on 31 January 2020. From then until the 31 December 2020 the UK will be in a “transition period”. During the transition period EU law will continue to apply in the UK which includes data protection law and no UK organisation will need to appoint a European Representative until after the transition period ends.
European Representatives after the Brexit transition period
Once the transition period ends UK-based data controllers or processors who:
- are without any offices, branches or other establishments in the EEA
- who are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals located in the EEA
will be required to have a European Representative in the EEA.
There are exceptions to the above requirement where:
- you are a public authority or body.
- your data processing is only occasional, presents a low risk to data protection rights of individuals and does not involve the large-scale use of special category or criminal offence data.
Who can be your European Representative?
A European Representative may be an individual or a company or other organisation established in the EEA where a significant portion of the individuals whose personal data you are processing are located. So if a significant portion of your customers are in Greece, your representative should be located in Greece.
One representative can act on behalf of several non-EU controllers and processors. A representative should not, however, be a data protection officer; the draft European Data Protection Board (EDPB) guidance suggests that the roles are incompatible and combining them would be a conflict of interest.
Appointing a European Representative
You will need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
In practice you should appoint a representative through a service contract.
The appointment of a representative must be in writing and should set out the terms of the relationship. Having a representative does not affect your own responsibility or liability under the EU GDPR.
Although the representative should be located in the Member State in which a significant proportion of your data subjects are located, the representative must remain easily accessible to data subjects located in all relevant Member States.
When the function of being a representative is assumed by a company or any other type of organisation, a single individual should be assigned as a lead contact and person in charge for each controller or processor represented.
The role of the European Representative
- Perform its tasks according to the written agreement.
- Facilitate communication between data subjects and the controller or processor.
- Maintain a record of processing activities under the responsibility of the controller or processor.
Notification of the appointment
You should provide EEA-based individuals, whose personal data you are processing, the contact details of your representative. This may be done by including the details in your privacy notice or in upfront information provided to individuals when you collect their data. You must also make the information easily accessible to supervisory authorities – for example by publishing it on your website.
Liability of European Representatives
In November 2018 the EDPB issued draft guidance that said that supervisory authorities were able to initiate enforcement action (including fines) against a European Representative in the same way as they could against the controller or processor which appointed them:
“To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.”
Given that fines under GDPR can hit €20 million or 4% of global annual turnover (whichever is higher) the EDPB guidance sent shockwaves through the industry with many representatives deciding it wasn’t such a good idea to be a representative after all.
However, in an about-turn in November 2019, the EDPB issued draft guidance which says the intention was:
“To this end, it was the intention to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union. This includes the possibility for supervisory authorities to address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative……The possibility to hold a representative directly liable is however limited to its direct obligations referred to in articles 30 and article 58(1)(a) of the GDPR.”
Articles 30 and 58.1 simply concern keeping a record of processing activities and providing information to supervisory authorities when ordered to do so.
Right now, you can ignore those marketing emails about appointing a European Representative but 31 December 2020 will come around soon enough. If you have customers in the EEA but no office, branch or other establishment in the EEA then, as things currently stand, you should be appointing a European Representative before the year ends.
If you have any questions on appointing a European Representative or on data protection generally contact one of our data protection lawyers.