GDPR : The EU representative for companies not based in the EU
The General EU Data Protection Regulation (GDPR) coming into effect on 25 May 2018 is already making an impact for companies: European companies and any other company, anywhere in the world, may be located in the US, in India, in the middle of the Pacific Ocean, in Russia or in China, offering goods or services to the European market or monitoring the behavior of European citizens.
One of the requirements under the GDPR is the appointment of a representative in the EU for international companies that are not on the ground within the Union.
Only certain types of companies are subject to this obligation, as specified in Article 27 GDPR.
In terms of commercial operators selling goods or services to European citizens, two areas of data handling and processing are relevant to the obligation to appoint a representative in the Union.
In particular, companies engaged in large-scale systematic monitoring of data subjects are subject to this requirement. Common relevant activities for companies are, for example, tracking or profiling individual customers or users that are located within the EU. Therefore, marketing on the basis of detailed customer profiles of EU citizens is one of the categories for compliance.
According to GDPR Art. 9, it does not apply if the data processing is occasional or not of a sensitive personal nature, or “is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing”.
The role of the Data Protection Officer (DPO) and that of the Representative are quite different.
DPO is responsible for assisting their Data Controllers and Processors to be compliant with GDPR, whereas Representative has more of a liaison role, meaning he coordinates communications in the local language with data subjects and the relevant data protection authority.
For example, an Indian company which has direct customers in France will be likely to assign their DPO responsibilities to their Chief Privacy Officer, who may or may not be based in the EU.
They are, however, obliged to establish and nominate an official GDPR Representative in France, who must be able to communicate in French with local data subjects and the relevant data protection authority. (In France “The CNIL”, In Germany “Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit”, in Belgium “Commission for the Protection of Privacy”).
You need to mandate a representative in France, one of the Member States.
The EU representative must be designated in writing, and the obligation applies to both the “controller” (the company collecting the data and in some kind of customer relationship with the data subject) and any (subcontracted) “processor” of the data.
The representative can also be subject to enforcement proceedings in the event of your company’s non-compliance with the regulation.
Your representative doesn’t need to be a lawyer or a cybersecurity expert.
We recommend a reliable person who understands the basics of privacy, your data services and with professional experience and very good communication skills.
BRIVA can support you in this process.
We can work together to define a fair solution to represent your organization against the CNIL, the French data protection authority.
If you want a point of view adapted to your organization, contact our Data Protection Officer Certified