Almost three years into the GDPR, companies, by now, understand they have to be GDPR compliant but they don’t always know that if they are a Non-EU company falling under the scope of GDPR, that does not have an enterprise in the EU, they will probably need an EU representative to be in place, as provided by Article 27.
Applying only to companies that do not have an establishment in the EU but fall under the obligations of the GDPR, an EU Representative should be in place to act as a point of contact and as liaison between data subjects or the DPA of the relevant EU member state and the Non-EU company in question. Although not 100% defined, an ‘establishment’ would need to have a direct link to processing activities of EU citizens, such as the offering of goods or services or the monitoring of EU data subjects, but not necessary have a commercial presence in the form of employees or an operating office.
The EU Representative has three main duties:
To answer questions from data subjects about processing activities and advise data subjects of their rights;
To be a point of contact for the local Data Protection Authority to provide information or receive complaints;
To keep a register of all processing activities undertaken by the company, in accordance with Article 30.
It is important to distinguish the EU Representative role from that of the Data Protection Officer as the two positions are very different. The EU Representative operates at local level and in the corresponding EU language, it is not a role that is active internally to the company as the DPO is.
The responsibilities of the company’s Controller and Processor are NOT affected by the existence of an EU Representative. Accountability for all activities rest with them.
Exceptions to the provision of Article 27 exist:
If the company’s processing activities are occasional (note that low volume is not the same as occasional);
Activities do not involve large scale processing of sensitive data;
Processing is unlikely to comprise the rights and freedoms of individual data subject in the EU.