GDPR: When controllers and personal data processors must appoint representatives in the EU
The requirements of the General Data Protection Regulation (hereinafter referred to as the “Regulation” or “GDPR”), which came into force on 25 May 2018, apply pursuant to Article 3(2) also to data controllers and processors not established in the EU if they process personal data of data subjects (natural persons) located in the EU in connection with:
- offering them goods or services (without demanding payment);
- monitoring the behavior of such data subjects in the EU, i.e. tracking individual users online to create profiles, including where this is used for decision-making to analyze/predict personal preferences, behavior and attitudes.
The European Data Protection Board (EDPB) adopted on 16 November 2018 Guidelines 3/2018 on the territorial effect of the GDPR (Article 3) which clarified, among other things, the provisions of Article 27 of the Regulation providing for the obligation of controllers and processors to appoint a representative in the EU in such cases.
The EDPB noted that a controller or operator not established in the EU who has appointed in writing a representative in the EU in accordance with Article 27 of the Regulation is not subject to its Article 3(1), i.e. the presence of a representative in the EU does not constitute the “establishment” of the controller or operator under that Article.
1. Procedure for appointing a representative in the EU
Recital 80 of the Regulation explains that “the representative must be directly appointed and authorized in writing by the controller or operator to act on its behalf in relation to its obligations under this Regulation. The appointment of such a representative does not affect the duties or responsibilities of the controller or operator under the Regulation. The representative is obliged to carry out his tasks as instructed in writing by the controller or operator, including cooperating with the competent supervisory authorities in relation to any actions taken to ensure compliance with the Regulation.”
The mandate therefore regulates in writing the relationship between the EU representative and the data controller or processor established outside the EU and their responsibilities, without affecting the duties or responsibilities of the controller or processor under the Regulation.
An EU representative may be a natural or legal person established in the EU capable of representing a data controller or processor established outside the EU in relation to its relevant responsibilities under the Regulation.
The EDPB clarified that, in practice, the EU representative function can be exercised on the basis of a service contract concluded with a natural or legal person, including a commercial and non-profit organization such as a law firm, consultant, private company, etc., provided that such organization is established in the EU. However, one representative can act on behalf of several controllers and operators not established in the EU.
Where the representative function is carried out by a company or any other type of organization, the EDPB recommends that one person be appointed as the main contact person responsible for each controller or operator represented. It is advisable to include the corresponding provisions in the contract for the provision of services.
However, the EDPB does not consider the role of an EU representative to be compatible with the role of an external Data Protection Officer (DPO) who is appointed in the EU, by virtue of the provisions of Article 38(3) of the Regulation, which sets out certain basic guarantees to ensure that DPOs can carry out their tasks with a sufficient degree of autonomy within their organization. Specifically, controllers or operators are required to ensure that the DPO "receives no instructions regarding the performance of [their] tasks." Recital 97 of the Regulation specifies that the DPO “whether or not an employee of the Controller, must be able to perform his duties and tasks in an independent manner.”
Regarding the notification to the supervisory authority of the appointment of a DPO, although the Regulation does not expressly establish a corresponding duty for the data controller or the representative itself, the EDPB recalls that, in accordance with Articles 13 (1) a and 14 (1) a of the Regulation, controllers are obliged to provide information to data subjects about their representatives in the EU. This information, for example, should be included in the privacy notice or advance information provided to data subjects at the time their data is collected. A controller not established in the EU, but subject to Article 3(2) of the Regulation, who fails to comply with its duty to inform data subjects located in the EU about its representative will be in breach of its transparency obligations under the Regulation.
In addition, such information about the representative in the EU should be readily available to regulatory authorities in order to facilitate contact with the representative for cooperation purposes.
An example of a situation in which a non-EU controller is required to appoint an EU representative is the following. The website, created and operated in Turkey, offers services for the creation, publishing, printing and delivery of personal family photo albums. The website is available in English, French, Dutch and German, and payments can be made in euros or pounds sterling. The website states that photo albums can only be delivered by post to the UK, France, Benelux countries and Germany. Since the processing of personal data of subjects located in the EU through this website falls within the scope of the GDPR in accordance with its Article 3(2)(a) of the Regulation, the data controller of the website is required to appoint a representative in the EU.
The representative must be appointed in one of the EU Member States where the relevant service is offered, in this case the UK, France, Belgium, the Netherlands, Luxembourg or Germany. The name and contact details of the data controller should be part of the information available online to data subjects as soon as they start using the service by creating their photo album on the website. This information must also be provided on the site in the general privacy notice.
2. Exceptions to the obligation to appoint a representative in the EU
Article 27(2) of the Regulation provides for an exception to the obligation to appoint an EU representative in two separate cases:
1) the processing of personal data is “incidental”, does not involve processing on a large scale of special categories of data referred to in Article 9(1) of the Regulation, or processing of personal data relating to criminal convictions and offenses referred to in Article 10, and such processing is “not likely to result in a risk to the rights and freedoms of natural persons, having regard to the nature, context, scope and purposes of the processing”.
Although the Regulation does not define what constitutes “large scale processing”, White Paper 29 DPO Guidelines[1]It was recommended that, in particular, the following factors be taken into account when determining whether processing is carried out on a large scale:
- the number of relevant data subjects - as a specific number, or as a proportion of the relevant population;
- volume of data and/or range of different data elements processed;
- duration or continuity of data processing activities;
- geographical extent of data processing activities;
2) the processing is carried out by a “public authority or institution”.
3. Appointment in one of the EU Member States
Article 27(3) of the Regulation provides that “the EU representative shall be appointed in one of the Member States where the data subjects whose personal data are processed for the purpose of offering them goods or services or whose behavior is monitored are located.”
In cases where a significant proportion of the data subjects whose personal data is processed are located in one particular EU Member State, the EDPB recommends that a representative be appointed in that same Member State. However, the representative must remain available for communication to data subjects in Member States where he is not appointed and where services or goods are offered or where the behavior of the data subjects concerned is monitored.
The EDPB has confirmed that the criterion for appointing a representative in the EU is the location of the data subjects whose personal data is processed. The place of processing, even by an operator established in another EU Member State, is not an important factor in determining the place for the appointment of a representative.
For example, an Indian pharmaceutical company, which has neither a business presence nor an establishment in the EU and is subject to the Regulation under Article 3(2), sponsors clinical trials carried out by investigators (hospitals) in Belgium, Luxembourg and the Netherlands. The majority of patients participating in clinical trials are in Belgium.
An Indian pharmaceutical company, as a data controller, appoints an EU representative established in one of the three EU Member States in which patients are participating as data subjects in clinical trials (Belgium, Luxembourg or the Netherlands). Since the majority of patients are residents of Belgium, in this case the EDPB recommends appointing a representative in Belgium. In this case, the representative in Belgium must be easily accessible to data subjects and regulatory authorities in the Netherlands and Luxembourg.
In this particular case, the EU representative may be the legal representative of the clinical trial sponsor in the EU in accordance with Article 74 of Regulation (EU) 536/2014 on clinical trials, provided that it is established in one of the three EU Member States and that both functions are regulated and carried out in accordance with the laws of each of the said States.
4. Duties and responsibilities of the representative
The EU representative acts on behalf of the controller or processor whom he represents in relation to the controller's or processor's responsibilities under the Regulation, including in particular responsibilities relating to the exercise of the data subject's rights.
Although the representative himself is not responsible for respecting the rights of the data subject, he is obliged to facilitate the exchange of data between the data subjects and the controller or processor he represents in order to ensure the implementation of the rights of the relevant subjects.
According to Article 30 of the Regulation, the representative of the controller or operator is obliged, in particular, to keep records of the processing of personal data for which the controller or operator is responsible. The EDPB considers that the maintenance of such records is a joint and several duty and that the controller or operator not established in the EU has an obligation to provide its representative with all accurate and up-to-date information so that the representative can maintain and provide upon request records of the relevant records.
As explained in paragraph 80 of the preamble to the Regulation, the representative is obliged to carry out his tasks in accordance with the instructions of the controller or operator, including cooperating with the competent supervisory authorities in relation to any actions taken to ensure compliance with the Regulation. In practice, this means that the supervisory authority may contact the representative in connection with any matter relating to the responsibilities under the Regulation of a controller or operator established outside the EU, and the representative must be able to facilitate any exchange of information or procedural interaction between the requesting supervisory authority and the controller or operator established outside the EU.
Where necessary, with the assistance of its team, the EU representative must be able to communicate effectively with data subjects and cooperate with relevant regulatory authorities. This means that such communication must take place in the language or languages used by the supervisory authorities and the relevant data subjects.
In accordance with paragraph 80 of the preamble and Article 27(5) of the Regulation, the appointment of an EU representative does not affect the liability of the controller or operator under the Regulation and does not preclude in any way proceedings that may be brought against the controller or operator itself by the supervisory authority. In this regard, the EDPB draws attention to the fact that procedural actions can also be initiated by regulatory authorities against the representative, including the imposition of administrative fines and prosecution.
[1] WP29 Guidelines on Data Protection Officers (‘DPOs’), WP 243 rev.01
