Does your company need a GDPR representative in the EU?
The answer to this question depends on the establishment of the company and its activity.
Obligation to designate a representative arises when the company is not established in the EU but it is subject to the GDPR.
It is such situations when companies:
- offer goods or services to data subjects in the EU;
- or monitor their behaviour which takes place within the EU.
However, the GDPR states the exemption when a representative is not needed:
- processing is occasional,
- and does not include, on a large scale, processing of special categories of data or data relating to criminal convictions and offences,
- and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing.
Also, a public authority or body is not subject to this obligation.
| Company is not established in the EU + it is subject to the GDPR + no exceptions = representative in the EU is needed |
Who can be a representative, how to designate it, and what is the liability for violation of this obligation — read on for the responses to these questions.
Who is a representative?
Under the GDPR, a representative is a natural or legal person established in the EU who, designated by the controller or processor, represents them with regard to their GDPR obligations.
Who can be a representative?
In practice, the function of a representative can be exercised based on a service contract. This service can be provided by a wide range of commercial and non-commercial entities, such as law firms, consultancies, or other private companies established in the EU. A representative can be an entity, as well as an individual.
One representative can also act on behalf of several non-EU controllers and processors.
Can DPO be a representative?
EDPB in the Guidelines 3/2018 emphasises that these roles are not compatible. DPOs must be able to perform their tasks with a sufficient degree of autonomy. This requirement does not appear to be compatible with the function of a representative, who acts on behalf of the controller or processor and under their direct instructions. A conflict of interests may also arise, for example if an external DPO is asked to
represent the controller or processor before the Courts in cases involving data protection issues.
| DPO ≠ representative |
Can a representative be designated in any EU member state?
GDPR directly states that a representative shall be established in one of the member states where the data subjects, whose personal data are processed, are.
In cases where a significant proportion of data subjects whose personal data are processed are located in one particular member state, the representative must be established in that same member state. However, the representative must remain easily accessible for data subjects in other member states.
| Country of representative establishment = data subjects’ location |
How to designate a representative?
The controller or the processor shall designate a representative in a written form. In other words, it must be a written mandate of the controller or the processor to act on its behalf.
In this case, EDPB emphasises that the presence of the representative within the EU does not constitute an “establishment” of a controller or processor under Article 3(1) of the GDPR.
| Representative in the EU ≠ establishment in the EU |
What are the representative’s duties?
A representative receives the mandate from the controller or processor, and based on it the competent supervisory authorities and data subjects can address their questions directly to it.
The representative acts only within the limits of the authority granted to it by the controller or processor. The designation of such a representative does not affect the responsibility or liability of the controller or the processor under the GDPR, and the liability of the representative is limited only to its direct duties.
The representative must maintain records of processing activities under Article 30 of the GDPR and make them available to the supervisory authority on request. Also, it has to cooperate with the supervisory authorities.
Moreover, the representative must be in a position to efficiently communicate with data subjects or facilitate the communication between data subjects and the controller or processor represented.
The identity and contact details of the representative must be provided to data subjects in accordance with articles 13 and 14 of the GDPR. Failing to inform data subjects of it would be a breach of transparency obligations under the GDPR.
What is the responsibility for not designating a representative?
EDPB emphasises that a controller or processor not established in the EU but subject to the GDPR, failing to designate a representative in the EU would therefore be in breach of the GDPR.
In practice, there are also cases with fines for violation of this obligation.
For example, in 2021 Netherlands supervisory authority imposed a fine of €525.000 for the violations of the GDPR, among which is not designating a representative.
Moreover, in 2022 Italian supervisory authority fined a company in the amount of €45.000. Among the identified violations, there was also a failure to designate a representative in the EU.
In conclusion, if your company is not established in the EU but offers goods or services to data subjects in the EU or monitors their behaviour, you need to designate a representative.
Privacity would be glad to provide you with guidance on how to properly choose, designate, and ensure the functioning of a representative under the GDPR.
