What is a GDPR representative?
A representative makes it easier for individuals to enforce their GDPR rights, because they will have one point of contact for requests such as access, rectification, and erasure, and for supervisory authorities to exercise their enforcement powers against controllers and processors with no presence in the EU (or UK as applicable).
A representative is:
- a person (or it could be a law firm or consultancy) which acts as a point of contact between an organisation without a presence in the EU and individuals in the EU as well as the relevant supervisory authorities;
- a person (or it could be a law firm or consultancy) which acts as a point of contact between an organisation without a presence in the UK and individuals in the UK as well as the Information Commissioner’s Office (ICO) (the relevant supervisory authority in the UK).
A representative may need to be engaged in the UK, the EU or even both depending on the location of the organisation’s main place of business. Failure to appoint a representative when required to do so is a breach of the GDPR (and will be a breach of the UK GDPR –more on that later) which could result in fines.
Who needs a representative?
Organisations outside the EU – including the UK – must still comply with the GDPR if they process the personal information of people who live within the EU because they offer goods or services to people in the EU and/or monitor people’s behaviour in the EU itself.
Similarly, from 1 January 2021, these rules will also apply to organisations outside the UK which process personal information of people in the UK, under what is known as the UK GDPR – which is basically the GDPR amended so it makes sense in a domestic-only context.
If such organisations do not have a presence (known in GDPR terminology as an ‘establishment’) in the EU (or UK as the case may be), they must appoint a representative in the EU (or UK).
Who doesn’t need representation?
Organisations based outside the EU (or UK) which are subject to the GDPR or UK GDPR do not need to appoint a representative if:
- they have an ‘establishment’ in the EU (or UK) – rather unhelpfully the GDPR does not define what is meant by an ‘establishment’ but it need not be a branch or a subsidiary; in some cases a single employee or agent may suffice; or
- their processing of personal information of people in the EU (or UK) is occasional and does not include large scale processing of special category or criminal convictions and offences information, and the processing is unlikely to result in a risk to the rights and freedoms of individuals taking into account the nature, content, scope and purposes of the processing; or
- the organisation is a public authority or body.
How to appoint a representative
A representative must be appointed by written contract and act in accordance with it. An EU representative should be appointed in the member state where there is a significant proportion of individuals whose personal information is processed. If those individuals are in multiple member states, the representative must be easily accessible to people in all of them and able to communicate in their language(s).
Once a representative has been appointed, the appointing organisation remains responsible and liable for its obligations under the GDPR (or UK GDPR) and supervisory authorities can initiate enforcement action against it. However, enforcement action may also be taken against a representative which fails in its obligation to keep the record of processing activities (Article 30 record) or to co-operate with supervisory authorities exercising their investigatory powers. Organisations should expect to be asked to indemnify their representative against fines and such liability.
One Stop Shop and lead supervisory authority
An organisation based outside the EU, without an establishment anywhere in the EU, cannot benefit from the One-Stop-Shop mechanism which avoids organisations having to liaise with multiple regulators, even though it has appointed an EU representative. The end of the Brexit transition period means that many UK-based organisations which process the personal information of people in the EU will have to engage with a number of different supervisory authorities in future.
Organisations with an establishment in the EU but whose lead supervisory authority was the ICO, must assess whether they can identify a new lead supervisory authority in the EU if they continue to carry out cross-border processing in the EU. This will allow them to continue to benefit from the One Stop Shop.