If you do business with EU citizens, you must comply with General Data Protection Regulations (GDPR), including the mandate in Article 27 requiring many non-EU companies to appoint a data protection representative (DPR) in the EU.
To learn more, I contacted Tim Bell, managing director of
DPR Group, a provider of EU DPR services through its network of 28 locations (one in each EU member state). Tim prefers the term “EU representative" to DPR, use of which can cause some confusion with the separate role of data protection officer (DPO) found in GDPR Article 37. DPR and DPO are distinct roles that should be undertaken by different people at different companies; still, many people confuse them.
What is the requirement for a DPR, as spelled out in Article 27?
Article 27 of GDPR requires that a company which a) is outside the EU (i.e., has no EU office), and b) provides goods or services into the EU (whether at a cost or for free) or monitors people there (e.g., follows individuals’ Internet activity with use of a cookie), must appoint an EU representative. This applies whether the company is a data controller or a data processor for the purposes of GDPR.
There are exemptions -- mainly for public sector organizations and matters outside the scope of EU law (e.g., national security). There’s also an exclusion for companies that undertake only “occasional” EU data processing, but as “occasional” has yet to be clarified, it might be best not to rely on this exemption until there’s some clarity. (When asked, I usually say that if a company’s data processing is more than 5-10% in the EU, or if it processes data for more than a few hundred EU individuals, it should be very cautious when relying on this exemption.)
What are the responsibilities of a DPR?
The primary operational role is to act as the point of contact for EU-based data subjects and data protection authorities who wish to contact the non-EU data controller/processor. The representative will hold copies of the data controller/processor’s Article 30 records of processing, and make these available to the EU data protection authorities if requested. Good representatives will have connections with translation companies, law firms, and privacy consultants so they can direct their clients to such professional advisors as necessary.
In addition, the DPR accepts a degree of liability for client GDPR violations. If a company outside the EU fails to meet GDPR’s requirements and then fails to meet fines or provide requisite compensation, its representative may be asked to make payment in its place (as originally set out in Recital 80 of GDPR and since confirmed in the European Data Protection Board’s guidance in March 2018. As a result, the representative role will mostly be taken up by specialized firms and not individuals within the non-EU company itself (compared to the DPO role, which is mainly taken up by an individual rather than a company).
How do you qualify to become a DPR?
There’s no specific qualification required by GDPR for an individual or organization to be appointed as an EU representative. However, in order to adequately represent non-EU clients, the earlier noted European Data Protection Board’s guidance makes clear that the representative should be established in the EU country where its non-EU client has the largest number of data subjects, and data subjects in other EU member states should also find the representative “easily accessible.”
The same guidance also confirms that the EU representative and DPO should operate separately from one another, because of the potential risk for a conflict of interest between them. EU representatives act entirely at the instruction of their clients, whereas DPOs are required to have a degree of independence, able to raise concerns to the senior management of the companies for which they act.
What are the liabilities for a company that doesn’t have a DPR?
Failure to meet Article 27 of GDPR can result in a fine of up to the larger of €10 million [approximately $13 million] or 2% global revenue (Article 83(4)(a)).
Are the GDPR regulations static or changing? The GDPR itself is static for the moment, but its transcription into local member state law is variable across member states. Differences in interpretation by national courts and data protection authorities are likely to mean that how the GDPR is intended to operate remains open to interpretation in some areas.
Do you expect interpretations to come from courts? Which ones? This is definitely expected. Ultimately the European Court of Justice (ECJ) will decide on the detailed interpretation of the role of the EU representative, but in the meantime the initial interpretation will come from the EU data protection authorities. The rulings made by these authorities will then be subject to appeal in local (EU member state) court, which will have the option to refer questions relating to areas on which they’re uncertain to the ECJ.
GDPR court rulings are only starting to come through (the process can take a long time, from the report of an incident, through an investigation by the relevant data protection authority to the eventual court proceedings).