The EU General Data Protection Regulation requires organizations based outside of the European Union but subject to the GDPR to appoint an EU representative. What does this mean in practice?
In Brussels recently, IAPP Research Director Caitlin Fennessy, CIPP/US, sat down with Lucia Canga, CIPP/E, GDPR EU representative for non-EU companies at the European Data Protection Office in Brussels, for insights that might help other privacy professionals seeking to operationalize Article 27 of the GDPR today. Here’s what she had to say.
The Privacy Advisor: When is an EU representative required under the GDPR?
Lucia Canga: An EU representative is required whenever a company without an EU-based establishment falls within the scope of the GDPR.
Article 27(2) only provides two exceptions to the obligation for non-EU companies to appoint an EU representative. The first exception is subdivided in three cumulative conditions: (1) When the processing is occasional; (2) the processing does not include large-scale processing of special categories of data or processing of personal data relating to criminal convictions and offenses; and (3) the processing is unlikely to result in a risk to the rights and freedoms of natural persons.
The second exception applies to public authorities or bodies.
The Privacy Advisor: What is required of an EU representative under the GDPR?
Canga: The GDPR requires two main things from EU representatives: that we act as the contact point for data subjects and the data protection authorities in the EU/European Economic Area, including that we provide any information that the latter require for the performance of their tasks, and that we hold a copy of the record of processing activities of the non-EU company.
On top of that, although it’s not required by the GDPR, we also provide assistance and support with data breach notifications. This is something unusual but certainly worth mentioning because, whereas EU companies must only notify a data breach to their lead DPA in the EU/EEA — this is called the “one-stop-shop principle”— non-EU companies must notify the DPAs in all member states of the EU/EEA. The one-stop-shop principle does not apply to non-EU companies. This means that they will potentially have to notify a total of 46 DPAs because some member states, like Germany, have more than just one DPA — unless EU/EEA personal data is only processed in specific EU/EEA countries, in which case the data breaches should only be notified to the DPAs of those countries. Given that every DPA has different requirements for data breach notifications, including filing in the country’s official language, the entire process can be very challenging, especially given the tight 72-hour deadline.
The Privacy Advisor: How do organizations differentiate the roles of EU representative and data protection officer?
Canga: Actually, many companies, especially outside of the EU, don’t distinguish between the two. That’s why we call the obligation to appoint an EU representative the "forgotten obligation." This is mainly due to the fact that Article 27 of the GDPR is the only provision that exclusively applies to companies based outside of the EU/EEA. Given that guidelines on how to implement the GDPR are usually written from a European perspective, most of them don’t mention the obligation to designate an EU representative. As a result, this obligation is often overlooked.
The DPO’s role is to assist companies in matters relating to data protection and inform and advise them on internal compliance. DPOs must be independent. They are not allowed to receive any instructions regarding the exercise of their tasks. That’s completely the opposite of the role of the EU representative, who can only act on behalf of the non-EU company pursuant to the instructions that it gets from the latter. The EDPB has clearly confirmed this in its recent guidelines on the territorial scope of the GDPR, stating that the function of the DPO is not compatible with the function of the representative. The aim is to avoid conflicts of interests.
When the roles of the DPO and representative are actually differentiated, it’s key that they be properly allocated. While the EDPB guidelines on the territorial scope have confirmed the incompatibility of bearing both roles at the same time, both functions can sometimes overlap. A good example of this is when both the DPO and representative are the contact point for data subject requests and DPAs. In such cases, it’s essential to set up a procedure to clarify "who does what."
The Privacy Advisor: Are EU representatives involved in advising companies on GDPR compliance in any regard?
Canga: Our point of view on that question is clearly that they shouldn't be. We believe that having an official advisory role is not compatible with the mandate given to us by our clients and the fact that we can only act under their instructions. That’s why we work with other privacy professionals (legal, consulting, IT, etcetera) to provide complementary services in assisting companies with GDPR compliance matters.
That being said, we understand it can be quite daunting for companies to receive requests from data subjects and DPAs, so we’re always there to answer their questions as to best practices on how to respond and reply to such requests. Although we don’t provide legal advice, we make sure that the request is understood by our client and that the procedure is performed smoothly with the appropriate approvals.
The Privacy Advisor: Do EU representatives respond to individual inquiries and access requests independently? Or do they serve as a conduit, forwarding those inquiries to the business and sharing the response with the individual?
Canga: EU representatives can only act under the instructions of our clients. Furthermore, by definition, the representative will always be external to the company since it must be based in the EU as opposed to a DPO who could be someone internal and based anywhere in the world. This means we don’t have access to our clients’ databases, and we can’t independently provide any content to data subjects or DPAs.
Some providers offer representative services in the form of a messaging hub, simply forwarding requests. That’s not what we do. We receive requests, perform identity checks (if our client instructs us to do so), forward the requests (with an English translation if needed), answer our client’s questions as to best practices on how to respond to the requests and reply to the data subjects on their behalf (with, again, translation if needed), unless they choose to answer themselves.
The Privacy Advisor: How does an EU representative engage with EU DPAs on behalf of the business?
Canga: We make sure to engage with them with great care and diligence. If they reach out to us, we apply the same procedure as for DSARs: We inform our clients, translate the request if needed, make sure they understand the request, discuss best practices, refer to other privacy professionals if necessary and reply to the DPAs as per our client’s instructions.
In addition, we also support and assist our clients with data breach notifications to the EU/EEA DPAs. That’s where it gets even more interesting because we see first-hand how different their procedures and reactions are. Although the GDPR aimed to harmonize data protection laws across the EU/EEA, it certainly hasn’t succeeded in doing so in terms of data breach notifications.
The Privacy Advisor: Is the role of an EU representative primarily to provide an enforcement hook for EU DPAs and ensure that the company will pay GDPR fines?
Canga: That’s what the EDPB said quite clearly in its guidelines on the territorial scope of the GDPR. It stated that “the concept of the representative was introduced precisely with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR” (i.e., that are located outside the EU/EEA and fall within the scope of the GDPR).
Many non-EU companies tell us that they don’t want to appoint an EU representative specifically for that reason because they think that doing so will expose them to EU sanctions. Enforcement outside the EU/EEA has always been a tricky issue, but we’re starting to see a lot of international cooperation between EU and non-EU jurisdictions on these matters and the argument may not hold for very long.
We’re also starting to see cases in which the appointment of an EU representative doesn’t stop DPAs from reaching companies located outside the EU/EEA. For instance, there is a case of July 3, 2019, before the Austrian DPA in which the controller is a company based in the U.S. that has appointed a company in the Netherlands to act as its EU representative. The DPA decided to address its decision directly to the U.S. company instead of the EU representative as Article "27(5) GDPR does not entail a transfer of responsibility." Having said that, it will be very interesting to see how the U.S. company will react to the Austrian DPA’s decision. What will happen if the U.S. company ignores it? Will the Austrian DPA turn to the EU representative for the payment of the fine?
Our experience is that most of our clients decided to appoint an EU representative because they work with EU partners that have to be GDPR-compliant and they want to continue doing business with them. Others want to show their EU customers that they care about privacy and that they have someone in the EU/EEA as their first contact point.
The Privacy Advisor: How is an EU representative’s liability managed?
Canga: That’s a tricky question. The EDPB’s new guidelines on the territorial scope of the GDPR state that the EU representative’s direct liability is limited to its obligations referred to in Article 30 (to hold a copy of the non-EU/EEA’s register of processing activities) and Article 58(1)(a) (to provide any information that the DPAs require for the performance of their tasks) of the GDPR.
However, these guidelines are "soft law," which means they’re not binding. The reason why this point is important is that not many people seem to talk about the indirect liability that makes EU representatives subject to enforcement proceedings by virtue of the national laws of certain member states. For example, Spain’s national law, which is "hard law," stipulates the EU representative is jointly liable with the non-EU controller or processor (see Article 30 of the law). Will these national laws be reviewed and modified in light of the final draft of these guidelines? In the meantime, these national laws still apply and have precedence over the guidelines.
What about the payment of the fines? The EDPB clearly stated that "it was the intention to enable supervisory authorities ... to address corrective measures or administrative fines and penalties, imposed on the controller or processor not established in the Union, to the representative." What if the non-EU companies don’t pay the fines or penalties? This answer to this question also seems to vary depending on the member state. It is, therefore, crucial for us to have a solid mandate agreement in place to cover all these aspects.
The Privacy Advisor: How will things change with Brexit?
Canga: Should Brexit happen, two main things need to be taken into account. First of all, companies established outside the EU/EEA might need to appoint not one, but two representatives: one in the EU and one in the U.K. (if the companies offer goods or services in the U.K. or if they target data subjects the U.K.). This also means that companies established in the U.K. will also be considered non-EU companies and, therefore, have to appoint an EU representative if they fall under the scope of the GDPR.
Second, the obligation to appoint a representative in the U.K. will also apply to EU companies that don’t have an establishment in the U.K. but offer goods or services in the U.K. or target data subjects the U.K.
Photo by Christian Wiediger on Unsplash