Do you need an EU representative?
This is the second in a series of briefings about the data protection issues which need to be considered in relation to Brexit.
As you know, the UK left the EU on 31 January 2020 and is presently in a transition period until 31st December 2020. During this period, the privacy laws remain the same in the UK but come 1st January 2021 the position will be different. This briefing addresses the issue of whether or not your organisation needs to appoint an EU representative from the beginning of next year.
In deciding whether or not you need to appoint an EU representative consider the questions below.
Is your organisation based in the UK but also:
- offers goods and/or services to people in the EEA?
- monitors the behaviour of people in the EEA?
If you answer ‘yes’ to either of the above questions, you will need to comply with the EU-GDPR in respect of any personal data you process in relation to people in the EEA and you may need to appoint an EU representative. However, if you already have branches, offices or establishments in the EEA, you will not need to formally appointment an EU representative for data protection purposes, as you will already have a base in the EU. See the guidance from the European Data Protection Board (EDPB) for further guidance on territorial scope.
In the event that you do need to appoint an EU representative, you will need to give consideration to the following.
Where within the EU should your EU representative be located?
The location of your EU representative will not depend on where you carry out your processing but will depend on the location of the data subjects whose data you are processing or whose behaviour you are monitoring (if applicable).
You will need to choose a country where at least some of these data subjects are situated. For example, if you have clients in France and Italy, your EU representative will need to be located in France or Italy. You do not need to appoint a representative in both France AND Italy. It will be sufficient to appoint one representative in either one of those countries. However, it would not be acceptable for your EU representative to be in another, different EEA country, such as Germany.
The EDPB advise that it is best practice for your EU representative to be located in the country where most of the relevant data subjects are located. Therefore, continuing with the above example, if most of the data subjects are in Italy, it would be best practice for you to appoint an EU representative in Italy.
However, the EU representative must still be easily accessible by the data subjects in France, where the rest of your clients are located.
Who should you appoint as your EU representative?
The rules on who to appoint do not impose any severe restrictions and you are free to appoint any individual or organisation established in the EEA as your EU representative, although the EDPB has issued guidance on who your EU representative should NOT be.
In particular, the EDPB advise that your EU representative should NOT be an external Data Protection Officer (DPO). This is because your DPO must carry out their duties and tasks in an independent manner, but they would not be able to do this if they are your EU representative, as they would be acting on your direct instructions. Further, the EDPB also advise that your EU representative should NOT be any individual or organisation you instruct as a processor. This is because of the conflict of interest which could arise in the event of any enforcement proceedings.
When deciding upon who to appoint as your EU representative, you should ensure that they are well equipped to perform the role and carry out the obligations required of them. It would, therefore, be prudent to satisfy yourself that your chosen representative has an adequate level of knowledge and experience in data protection. The ICO suggest that a law firm or consultancy firm may be suitable.
What are the responsibilities of the EU representative?
The EU representative must have the capacity to act for you in relation to the data protection matters which arise in the EU. This includes dealing with the relevant Supervisory Authorities and data subjects. In particular, the EU representative will be required to:
- Facilitate communication between you and the data subjects in relation to the exercising of data subjects’ rights (in the data subjects’ language)
- Keep a Record of Processing Activities (to be provided by you, the instructing organisation)
- Co-operate with the Supervisory Authority (in the Supervisory Authority’s language)
You should ensure that your EU representative fully understands what they are required to do and how.
How should you appoint the EU representative?
Article 27 requires that you designate your EU representative in writing. In view of this, and the requirement to satisfy the Accountability Principle, you will need to document the appointment of your EU representative and enter into a written contract with them. This contract should name one individual as the lead contact in charge and should clearly set out what the responsibilities of each party are and how the duties of the EU representative should be performed. For example, the contract should cover matters such as security, confidentiality, data transfers, reporting procedures, dealing data subject’s rights and time limits, together with all other relevant issues. It may also be useful to know that a single EU representative can act for several organisations at the same time.
Who do we need to tell about EU representative?
It is important that the EEA based data subjects whose data you are processing or whose behaviour you are monitoring are aware of who your EU representative is, as this will be their main point of contact. In addition to this, the transparency requirements under Articles 13(1)a and 14(1)a, place an obligation on controllers to notify data subjects of the identity of their representatives and it, therefore, makes sense to provide this information in your Privacy Notice.
The EU Supervisory Authorities also need to know who your EU representative is because, just as with data subjects, your EU representative will be their main point of contact. Whilst it is not necessary for you to register your EU representative with each Supervisory Authority in the EEA, you will need to ensure that the information is easily available. The best way to ensure this is to publish the information on your website.
I will develop my thoughts further on news of the adequacy agreement status, including if there is a need to have agents in the UK and EEA in the next few weeks.
Please remember the “trade deal” and the adequacy decision are two separate matters and not co-dependent on each other, however with the shaky hand of politics, who knows!
Can the EU representatives be liable?
Guidance from the ICO and the EDPB indicates that Supervisory Authorities can initiate enforcement action against your EU representatives. This, therefore, underlines how very important it is that you choose your EU representative carefully and ensure that they are perfectly clear about the terms of their appointment and the potentially serious consequences for them when things go wrong. That said, appointing an EU representative does not affect the obligations and responsibilities of your organisation and the situations in which EU representatives can be held liable are limited.
Are there any exceptions to this rule?
You do not have to appoint an EU representative if:
- Your organisation is a public authority
- If your organisation is only processing the personal data of individuals in the EEA occasionally and it involves only low risk processing and does not involve processing special category personal data or criminal conviction personal data on a large scale.
(The use of the word ‘occasional’ above means the activity is not carried out on a regular basis and occurs outside the regular course of your business or activity).
If your organisation falls into either of the above categories, you will not need to appoint an EU representative.
What about UK representatives?
Will these rules work the other way around, as in will organisations based in the EEA need to appoint UK representatives at the end of the transition period, if they offer goods and services to people in the UK or monitor the behaviour of people in the UK? The UK government has indicated that the UK version of the GDPR will say that an organisation located outside the UK, but which is required to comply with the UK GDPR, will need to appoint a UK representative.