GDPR: To EU and beyond

The GDPR tends to become the global standard for the protection of personal data. With the explosion in the number of scandals (Cambridge Analytica, etc…) related to the disclosure of personal data, ensuring the protection of data is no longer just about compliance and avoiding fines of up to 20 million euros

Concerning the appointment of a representative in the EU

The GDPR tends to become the global standard for the protection of personal data. With the explosion in the number of scandals (Cambridge Analytica, etc…) related to the disclosure of personal data, ensuring the protection of data is no longer just about compliance and avoiding fines of up to 20 million euros, but it is also and above all about restoring consumer confidence in digital economy, in short, being transparent… One of the major innovations of the GDPR is its territorial scope. Behind this seemingly barbaric notion are in fact very simple principles: companies not established in the EU and processing data relating – inter alia – to the offering of goods or services to persons in the EU are concerned by the GDPR. One of the major consequences is that companies – whether they are controllers or processors – must appoint a “representative” in the EU.

 

Are companies not established in the EU concerned by the GDPR?

Yes, as long as the personal data they process are related to the offering of goods or services – paid or free – to persons within the territory of the EU[1]. This would be the case of e-commerce sites, mobile application providers, cloud providers, etc…. The Court of Justice of the European Union has ruled that the use of an EU language/currency, the ability to place orders in a European language, and referring to users or customers in the EU are all indications that companies’ activity is turned towards the EU. There are also other criteria, such as making payments through a search engine to facilitate the access of people in the EU to the service (Search Engine Optimization services) or targeting an EU state by name, mentioning telephone numbers with an international code (+33, etc.), the use of a domain name like “.fr” or “.eu” for example, etc[2]

Furthermore, GDPR also applies to companies that monitor the behaviour of persons in EU territory (provided that this behaviour takes place within the EU). For example, if a company not established in the EU profiles European Internet users on their consumer behaviour in the EU, then it will be subject to the principles of the GDPR. And this even if this profiling is intended for decision making consisting in analysing/predicting people’s preferences, behaviours and attitudes.

 

How should a representative be appointed?

The representative must be explicitly designated in writing by the controller or processor to act on his behalf[3].

 

In which country should companies appoint a representative?  

The representative must be established in one of the EU Member States in which are located the data subjects. In other words, this representative must be established in a EU country in which reside the persons whose personal data are processed to offer them goods or services, or the persons whose conducts are monitored[4].

 

What is the role of the representative?

The representative acts as the contact person for the supervisory authorities and individuals. He acts on behalf of the controller or processor to fulfil their duties under the GDPR[5]. He should be available for consultation by the supervisory authorities and the persons concerned.

The representative is also responsible for keeping the company’s register of data processing activities, whether the company acts as processor or controller. This register must include the name and contact information of the representative. The representative is obliged to make this register available to the supervisory authority[6].

 

What is the representative’s responsibility? 

The controller or processor remain legally responsible for compliance with the GDPR[7]. However, the designated representative can be subject to enforcement procedures in the event of non-compliance with the GDPR by the controller or processor[8]. The supervisory authoritiy may order the representative to communicate any information it needs for the performance of its tasks[9].

 

Should the identity of the representative be included in the information given to persons?

Yes, the persons whose data are collected or processed must be informed of the identity of the representative. This applies whether you collect the data directly from the persons[10](direct collection), or whether you collect the data of the persons through someone else[11](indirect collection).

 

Are companies not established in the EU but concerned by the GDPR still obliged to appoint a representative?

 No, if the company performs :

–       processing which is occasional,

–       processing which does not include, on a large scale, processing of sensitive data (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric, health, sex life or sexual orientation)

–       or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing[12].   

It should be noted that processing carried out by a public authority or a public body does not require the appointment of a representative in the EU.

 

Can the representative be the DPO?

Yes, and in this case, he will fulfill the missions of a DPO in addition to his missions as representative. Therefore, companies that are not established in the EU but are concerned by the GDPR should strongly consider appointing a representative in the EU who can also act as their DPO.

Arthur Bouvard


[1]Article 3(2) GDPR
[2]CJUE, Affaire jointes C-585/08 et C-144/09, Pammer c. Reederei Karl Schüter GmbH & Co, et Hôtel Alpenhof c. Heller.
[3]Article 27(1) GDPR
[4]Article 27(3) GDPR
[5]Article 4(17) GDPR
[6]Article 30 GDPR
[7]Article 27(5) GDPR
[8]Recital 80 GDPR
[9]Article 58 GDPR
[10]Article 13 GDPR
[11]Article 14 GDPR
[12]Article 27(2)(a) GDPR

Retour