EU: EDPB guidelines on EU representatives
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), whilst appearing headline-worthy with its mix of potentially huge fines and media scrutiny of data breaches, has not always been clear in all situations. The European Data Protection Board's Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) ('the Guidelines'), were issued for consultation in November 2018 and formally adopted with revisions in November 2019, and were designed to provide some clarification for companies. Tim Bell, Managing Director of DPR Group, discusses the clarification the Guidelines provide for companies concerning their appointment of an EU Representative, and the responsibilities and liabilities of this role.
For companies based outside of the EU, the big headline has always been its extra-territorial effect; the fact that the EU considers any company globally to be under their jurisdiction, even if no part of the processing company exists in the EU, if that company processes the personal data of individuals who are under the EU's protection.
The Guidelines have been immensely helpful in clarifying issues around whether a company not established in the EU falls under the scope of the GDPR or not. There remains a degree of uncertainty as there is not a one-size-fits-all test, so each case will be viewed on its own merits, however, overall the position is much clearer.
Having said that, an issue for companies outside the EU which has received less attention, but nonetheless has been clarified in the Guidelines, is that of an EU Representative under Article 27 of the GDPR. In basic terms, a company with no EU establishment, whether acting as data controller or processor, which sells products within the EU or monitors people there, is required to appoint EU Representative. There are exceptions, but overall the general rule is that if you do not have an EU office and process EU personal data, you are likely to require an EU Representative.
In their first edition, the Guidelines were very helpful in establishing some key principles around the appointment, operation, and liability of the EU Representative, and the final version has filled in some of the gaps which remained.
The main clarifications in the Guidelines, including issues addressed in the first version which remain unchanged in the final version, are:
- the appointment of an EU Representative:
- a company's representative should be established in the EU Member State where the largest number of their data subjects are based;
- data subjects in EU Member States other than where the EU Representative is established should have easy access to the EU Representative;
- the same company/person cannot act as a data protection officer and EU Representative for the same company, due to the risk of a conflict of interest arising;
- for the same reason, a company should not appoint an organisation which also acts as their data processor to be their EU Representative. The Guidelines state only that a controller should not appoint their processor to this role, but it is anticipated it was also intended to cover agreements between processors and sub-processors, so that a sub-processor should not be the EU Representative of their instructing processor, on the basis that all other GDPR obligations are expected to be flowed between those parties as they were between the controller and the primary processor, therefore the same conflicts could arise;
- only one representative needs to be appointed for each company and there is no need to appoint one representative for each data processing activity undertaken;
- occasional exemption: the Guidelines apply to interpreting 'occasional' as when considering the duty to prepare Article 30 of the GDPR records of processing. In particular, 'a processing activity can only be considered as 'occasional' if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor;'
- occasional exemption: when considering the third element of this exemption, whether the 'processing [is likely] to result in a risk to the rights and freedoms of natural persons,' both the likelihood and severity of that risk should be considered; and
- public authority exemption: national law applies when considering whether an entity is a 'public authority' (although not completely clear, this appears to be the national law of the EU data subject, not the national law in the jurisdiction of the non-EU data controller/processor).
- the operation of the EU Representative:
- the EU Representative has a duty to hold, maintain, and provide to supervisory authorities their clients' Article 30 of the GDPR records of processing activities, although the primary duty for preparing this document rests with the controller/processor which appointed them;
- the EU Representative 'should in principle' (previously 'must') communicate with the data subject and EU authority in the language they typically use, unless this results in 'disproportionate effort;' and
- the liability of the EU Representative:
- the EU Representative should not be held primarily liable for their clients' violations of the GDPR, but the supervisory authorities do have the option of addressing 'corrective measures or administrative fines and penalties' which remain unmet by the breaching controller/processor to their representative. Although this appears to be a major reduction in the liability of the EU Representative, it actually does not make a significant difference. If an EU Representative was held solely and primarily responsible for their client's violation of the GDPR, they would join their violating client in their proceedings as a party and only if the violating client failed to pay, either directly to the supervisory authority or under indemnity to their EU Representative, would the expectation be that the EU Representative would be required to meet such penalties; and
- the EU Representative remains primarily liable under the GDPR for its own failures to comply with GDPR Articles 30 (records of processing activities) and 58 (assisting the supervisory authorities with their investigations).
The Guidelines have dealt with many of the open questions which existed in respect to the EU Representative role and now it is the turn of the courts, both those in the Member States themselves and the central European Court of Justice, to decide how they interpret both the GDPR and the Guidelines.
Tim Bell Managing Director
DPR Group, Dublin