Under the EU GDPR (General Data Protection Regulation), North American organizations may be required to designate an EU-based representative as the contact person for questions on data protection from data subjects and supervisory authorities in Europe.
The scope of the GDPR
The GDPR doesn’t just apply to EU-based organizations. Non-EU organizations that offer goods and services to EU residents will also need to comply, such as an e-commerce website that accepts payments in an EU currency, or those that monitor the behaviour of EU residents, such as online behavioral-based advertising services.
Under Article 27 of the GDPR, organizations without a physical presence in the EU need to designate, in writing, an EU-based representative to deal with various aspects relating to data protection on behalf of or in conjunction with the organization.
The EU representative will register with the relevant data protection authority in the EU country where the organization does the most business – the EU representative must be based within an EU country.
Their role includes, to:
- Represent the non-EU organization with respect to its GDPR obligations
- Serve as a contact point for and liaise with data subjects and supervisory authorities
- Hold a record of the organization’s processing activities
They are not responsible for GDPR compliance, but if there is a GDPR violation then the supervisory authority may impose a fine on the EU representative. This enables supervisory authorities to enforce the GDPR outside of the EU, and it’s up to the EU representative to ensure their contract with the organization allows them to reclaim any fines.
There are exemptions to this rule. The first is if the processing is occasional, does not include, on a large scale, processing of special categories of data or data relating to criminal convictions, and is unlikely to result in a risk to the rights and freedoms of individuals. The second is if the organization is a public authority or body.
Subsidiaries don’t always count
It’s important to note that simply having a subsidiary based in the EU may not excuse you from needing an EU representative. If the subsidiary is managed at arm’s length via a services or distribution agreement and that EU based subsidiary entity doesn’t have control over the data-related decisions of the business, or the power to implement them, then the subsidiary may not be considered to have a main establishment in the EU for the purposes of GDPR, and therefore the organization may still need to designate an EU representative.
How IT Governance can help
We’re offering an annual subscription EU Representative service. As your EU representative we will:
- Register our EU address as your GDPR representative address
- Be the point of contact for communications from individuals in relation to subject access requests and other privacy inquiries
- Liaise with the data protection authorities on all matters pertaining to the GDPR, including data breach reporting
- Hold a record of your processing activities and make these available at the data protection authorities’ request