On 16 November 2018, the European Data Protection Board (EDPB) adopted draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines).
Last week we published a blog on these guidelines, focusing on when the GDPR applies to non-European Union (EU) controllers and processors. This week, we focus on when non-EU controllers and processors who come within the scope of the GDPR must appoint an EU representative.
GDPR requires that non-EU controllers or processors of personal data of individuals located in the EU appoint EU-based representatives (EU representative), unless they are exempt. The guidelines divide this requirement into four distinct sections.
The appointment process
The EU representative can be a company or an individual. Where the EU representative is a company, the EDPB recommends that a person in the company is specifically designated as the “lead person”.
The EDPB makes it clear that an EU representative should not carry out the roles of both data protection officer and EU representative. The role of data protection officer requires a level of autonomy and independence that is incompatible with the responsibilities of the EU representative.
The EU representative should be explicitly appointed by a written mandate from the appointing non-EU controller or processor. The mandate should allow the EU representative to act on behalf of the controller or processor in relation to its GDPR obligations.
A non-EU controller or processor will not be required to appoint an EU representative if either of the two exemptions below apply:
(1) The processing:
i. is occasional;
ii. does not include processing of sensitive personal data or of data relating to criminal convictions on a large scale; and
iii. is unlikely to result in a risk to the rights and freedoms of natural persons.
(2) The controller or processor is a public authority or body.
Where the representative should be established
The EU representative must be established in an EU Member State where affected data subjects are located. Where the actual processing takes place is irrelevant.
The EDPB recommends that the EU representative is established in the Member State where most affected data subjects are located. Bear in mind, however, that the EU representative must still be accessible by all data subjects across the EU.
The representative’s obligations and responsibilities
The EU representative acts on behalf of the controller or processor in relation to its GDPR obligations. In doing so, the EU representative has a number of obligations and responsibilities. These include:
- Facilitating communication between data subjects and the controller or processor.
- Maintaining a record of processing activities. The EDPB believes this to be a joint obligation of both the EU representative and the controller or processor.
- Cooperating with supervisory authorities.
The GDPR responsibilities and liabilities of the non-EU controller or processer do not disappear simply because it appoints an EU representative. However, an EU representative can be held liable for its own failings.
This issue is only part of the EDPB’s guidelines. As a whole, the guidelines clarify the extent to which non-EU controllers or processors are subject to the GDPR. While they may not like the extra-territorial nature of GDPR, the guidelines provide much needed clarity for non-EU companies.
The EDPB has opened the guidelines up to public consultation. It welcomes comments on the draft until 18 January 2019. After the consultation process, the guidelines will be finalized.