Authorised representatives under GDPR
The General Data Protection Regulation (GDPR) has an extraterritorial scope of application, meaning that companies based outside of the EU but doing business within the EU will often be subject to the GDPR regime. This applies in respect of both controllers and processors.
WHEN IS AN EU REPRESENTATIVE REQUIRED?
Under the GDPR regime, an organisation without an establishment on the ground (such as an office) in the EU must appoint an authorised representative in a member state of the EU. While a representative is not always required, the threshold is low and applies when a company which is not established in the EU offers goods or services to individuals or monitors the behaviour of individuals in the EU. An authorised representative will likely be required in the following scenarios where personal data of EU citizens is collected: l If an organisation is delivering goods or services to the EU; l If an organisation accepts EU currency on its website or its website is in any of the EU languages; or l If an organisation tracks any residents of the EU via, eg cookies. Since Brexit, UK organisations that meet these criteria need to appoint an EU representative.
WHAT DOES A REPRESENTATIVE DO?
An authorised representative must be formally appointed to act on the organisation’s behalf with regard to its obligations under the EU GDPR. In practice, the easiest way to do this is via a service contract. This document will regulate the relations between the organisation and the representative, and helps the controller or processor to comply with their obligations under the relevant GDPR regime.
An authorised representative will: Facilitate communication between data subjects and the entity that is represented. Data subjects should be able to contact the representative if they have any queries or issues with how their personal data is being used or if they would like to submit a rights request; Cooperate with the relevant supervisory authority and assist in the investigation of any complaints or enforcement action against an organisation; Maintain a record of an organisation’s processing activities and provide this when requested by a supervisory authority.
To ensure that a representative has up-to-date information to hand, the controller or processor must provide their representative with accurate and updated information. Data protection authorities can (and do) impose fines on organisations for failing to appoint an authorised representative – for example the Dutch Data Protection Authority fined a non-EU website provider €525,000 for its failure to appoint and act in compliance with its GDPR obligations including failure to appoint an EU representative.
Following Brexit, the UK has mirrored the EU GDPR regime. While the EU GDPR no longer applies directly in the UK, it has been effectively duplicated in UK law via the UK GDPR. This means that organisations outside the UK may need to appoint a UK authorised representative if the personal data of UK citizens is collected and processed by non-UK organisations in similar circumstances to those mentioned above for an EU representative. In July 2022 however, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) introduced the Data Protection and Digital Information Bill to the UK Parliament, which would have made significant changes to the UK’s data protection laws. One such proposed change was the abolition of the requirement to appoint an authorised representative in the UK. With recent changes to the UK Government, the bill that was proposed by the DCMS has been delayed and its proposed reforms are uncertain.
DO YOU NEED TO APPOINT AN EU OR UK REPRESENTATIVE?
Shepherd and Wedderburn LLP, and our Irish subsidiary Saltire Data Protection Services Limited, already act as authorised GDPR representatives in both the UK and the EU for a number of clients, with an experienced individual appointed as a point of contact to those who utilise this service.
If you require similar support, or would like advice on whether your organisation needs to appoint an authorised representative under EU GDPR or UK GDPR, please visit shepwedd.com/expertise/technology-media-telecoms/gdpr or contact Joanna Boag-Thomson, Partner in our media and technology team or Rachael Brooks, Solicitor in our media and technology team.
Authors: Joanna Boag-Thomson and Rachael Brooks are on Shepherd and Wedderburn’s media and technology team.
Partner Content in association with Shepherd and Wedderburn.