The GDPR applies to controllers and processors that process personal data of individuals in the EU, regardless of where the organization is established in the world. Those organizations that are not established inside the EU are required to appoint a representative who is established in the EU for purposes of GDPR compliance. The GDPR also requires a data protection officer under some circumstances, and makes the role voluntary otherwise, and the Article 29 Working Party recommends the DPO be located within the EU for accessibility even if the controller or processor is not.
What is this EU representative role and how does it interplay with the sometimes overlapping role of the DPO?
Under Article 27, it states that a controller or processor who is not established in the EU and offers goods or services to data subjects in the EU or monitors the behavior of data subjects occurring within the EU must appoint, in writing, a representative within the EU. At first blush, this representative seems merely to be providing a local point of presence within the EU reached more easily than the non-EU controller or processor. The EU representative is required to be co-located in one of the EU member states with the data subjects who are being offered these goods and services or whose behavior is monitored.
The representative has to be available to both the local DPA and data subjects, which makes sense, given these individuals and supervisory authorities would desire someone nearby who speaks their language and understands their customs and expectations. This seems like the representative role should be one of limited agency, where the EU representative merely takes messages and passes information on to the controller and processor located overseas and then communicates back to the data subject or DPA after receiving instructions from the controller or processor.
Subsection 4 of Article 27 states that the representative “is to be addressed in addition to or instead of the controller or the processor … on all issues related to processing, for the purposes of ensuring compliance with this Regulation.” This wording seems to imply that the EU representative may be the only one contacted for GDPR compliance issues if the controller or processor cannot be reached. More ominously, as the DPAs may levy administrative fines and penalties of a significant nature and data subjects may initiate litigation against controllers and processors for damages, the EU representative could find themselves a named party in administrative actions or litigation, as the only defendant that an EU court may be able to obtain effective jurisdiction over.
At least the DPO is protected against legal actions by the data subject and presumably the DPA, but similar statutory protection does not appear in the GDPR for the EU representative. Perhaps the presumption was that the EU representative would be an employee of the controller and processor or at a minimum, an external agent who has contractually limited their liability and specified indemnity by the controller or processor for any issues related to the GDPR. A difficulty for any external agent taking on this role is as the controller or processor is not established within the EU, the agent would have to resort to courts outside the EU if it became necessary to enforce the liability and indemnity clauses of their contract.
Reviewing an earlier draft of the GDPR passed by the European Parliament in 2014 provides some insight. Under the penalties article, it stated, “Where the controller has established a representative, any penalties shall be applied to the representative, without prejudice to any penalties which could be initiated against the controller.” In the final draft of the GDPR, the revised wording has been moved to Recital 80, “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”
So the EU representative may be legally pursued locally for the GDPR non-compliance of overseas entities. Given the limits to the extraterritoriality of laws and the jurisdictional reach of courts, it seems likely the EU representative would be required to at least initially incur the legal and other costs for addressing enforcement actions and be responsible for paying administrative fines and damage suit awards.
What about the line separating the roles of the EU representative and DPO?
The earlier draft of the GDPR had required that non-EU controllers and processors appoint a representative in the following situations: Where there was “processing of personal data relating to more than 5,000 data subjects during any consecutive 12-month period,” or there was “processing of special categories of personal data … location data or data on children or employees in large scale filing systems.” This was much of the same criteria used to specify when a DPO was required. The final text has revised this to requiring an EU representative for non-EU controllers or processors when offering of goods and services or monitoring the behavior of data subjects, somewhat overlapping the DPO requirement if large-scale regular and systematic monitoring is performed.
The contact details of the EU representative are required to be disclosed to the DPA and to data subjects, just as are the DPO’s. The controller’s or processor’s EU representative is required to maintain a record of processing, which is not a primarily responsibility of a DPO, but could be if asked to do so. The EU representative is required to cooperate with the DPA, as are DPOs. In Recital 80, it specifies that the representative is required to “perform its tasks according to the mandate received from the controller or processor,” somewhat different than the independence specified for DPOs in performance of their tasks.
So the DPO and EU representative roles have diverged as the GDPR was revised, but the final text is not completely clear. For example, can a DPO also fulfill the role of EU representative for non-EU controllers and processors? Would any EU-based DPO want to take on this representative role for a non-EU controller or processor, given the potential legal exposures described above? With the uncertain state of the GDPR’s final wording, the following query was sent to the Irish Office of the Data Protection Commissioner: “Can the Article 27 representative of controllers/processors not established in the EU also be the Articles 37-39 data protection officer and if so, how would the representative be shielded from liability from data subjects and the DPC in the same manner that the DPO is?”
Their reply focused on the potential conflicts of interest between the roles, such as in the confidentiality required of the DPO when receiving concerns from employee data subjects versus instructions given by the data controller to his representative.
Another potential conflict noted was when the DPA is involved in enforcement activities it would be looking to the DPO to be independent while “the controller and representative are of coequal standing.” Another possible conflict could be when the independent DPO role carries out tasks contrary to the instructions given by the controller to the representative role. While the representative may be subject to enforcement proceedings, the DPC did not believe that the representative was subject to ultimate legal liability under the GDPR, but agreed it was not clear with the tension between Recital 80 and the lack of stated ability to levy fines on the EU representative.
Due to the potential for conflicts, the DPC, while noting that there is no express prohibition on the same person fulfilling both roles, advises caution and notes it is the controller’s responsibility to ensure that the DPO does not take on other tasks that result in a conflict.
photo credit: wuestenigel Two boys taking a break during the play via photopin (license)