GDPR’s Mandatory EU Representation... Are You Exempt? Find Out Here.

The Spider Guard Data Protection Guide:

GDPR’s Mandatory EU Representation... Are You Exempt? Find Out Here.

By Aaron Martin - 08 Aug 2018


Regardless of the service you’re providing - whether it's CRM, web hosting, cloud-based apps & resources, or something more exotic - you’re now required to comply with the European Union’s General Data Protection Regulation (GDPR) if any of your customers or end users are from the EU.

Yes, compliance is mandatory.

The trouble is, a lot of non-EU businesses are unsure what “compliance” actually means for them. Beyond privacy policies and cookie pop-ups, it just so happens there’s a lesser-known but very important GDPR requirement for companies that don’t have a physical presence in the EU, and if you were paying attention to the title of this article you can probably guess what that is: EU Representation.

If this is the first time you’re learning about the EU rep role, you’re not alone. Most of the public discussion over the past year has been about getting EU-based business compliant, while businesses outside the Eurozone have largely been an addendum to the story. This puts those businesses in a risky situation because they are still required to comply and face the same penalties as their EU counterparts.

As data protection consultants who offer EU representation and DPO services, we get a lot of questions from businesses wondering about their responsibilities under GDPR, so we put together this informational article to shed light on the subject.

Here’s what you as a service provider outside the EU need to know:

Article 27

The GDPR states in Article 27 that certain organisations not located in the EU must appoint a qualified individual located in an EU member state to represent them if they meet certain criteria:

  1. If you collect or handle data from EU citizens
  2. If you do not have a physical presence in the EU

First off, you should know a) if you collect data from data subjects within the EU, b) what type of data you collect, c) what you do with it, and d) how you protect the privacy of those individuals.

If you’re not sure, we strongly advise you to consider consulting with a qualified and capable data protection professional.

The GDPR covers any personal data that relates to data subjects within the EU - not just residents or citizens - and those who are covered under GDPR are well within their rights to request information or even make complaints about their data that you process. A simple failure to respond to a request for information is considered a breach of regulatory obligations. Not knowing how to respond, failing to respond on time, or otherwise mishandling the situation will likely give rise to a complaint which will put you under the scrutiny of the data protection authorities who have been handed tools to punish transgressors.

One of the EU rep’s responsibilities is to help you avoid these consequences.

An EU rep will help you organise the EU data you process and liaise with the authorities whenever the need arises. Meanwhile, your customers will appreciate having an informed point of contact, which will result in improved customer experiences and, in turn, improved customer trust.

One question you might be asking is why the EU considers this representation so important for businesses that aren’t based in the EU. From a practical standpoint, having a representative in the EU ensures that there is a local point of contact for any citizen in the EU who wants to inquire about how you handle his or her data. The rep will speak the same language, know the rules and customs, and is in the same time zone, to name a few benefits. It just makes the process easier for everyone, and your customers will thank you for fulfilling this obligation if they ever need to contact you about their data.

Is your data processing on a large scale?

There is a caveat in Article 27 stating that a business is exempt from the EU rep requirement if they do not process data on a large scale. So, you might ask, “What is the GDPR definition of “large scale?” The answer is they don’t have one. This is another one of those undefined terms that the GDPR nevertheless places a high importance on. Fortunately, a well-recognized advisory body known as the EU’s Article 29 Working Party stepped in to clarify this issue. According to them, data processing could be considered to be on a large scale due to a combination of factors including:

  1. the number of data subjects involved, the amount of data,
  2. the range of types of data (do you create an exhaustive data profile about the subject, or just ask them their age and gender),
  3. the geographical range across which the data is processed (e.g. across all of mainland Europe versus only in Lyon, France), and
  4. the duration and permanence of the data processing.

So, you may be able to rule yourself out based on this factor if you only collect data from 100 people a year. But if, for example, you have several thousand customers and/or you collect a wide range of data, then you definitely need to have a representative in the EU to be in compliance. If any of your customers exercises their rights and submits a formal inquiry about their data that you process, you will be found in breach and the authorities in that member state will act accordingly.

What an EU Representative Will Do for You

So you've decided to get compliant by appointing an EU rep?

As much as this may seem like an added financial burden, there are clear benefits to having one. An EU rep shoulders the responsibility of acting as the GDPR point-of-contact in the EU for your entire organisation. If and when your EU customers or the supervisory authorities that serve them request information about the data you process, your EU rep will respond to those requests in a timely and appropriate manner - and you won’t have to. In the event of a data breach, the rep will be your liaison with the regulatory authorities. This includes reporting the incident within the mandatory 72-hour window. 

Above all, any time one of your data subjects has a question about the data you handle, your EU rep will step in.

In addition to the above, your EU rep will assemble and manage all your records of processing activities. This, along with every other responsibility of the EU representative, is an ongoing process. For these purposes, the EU rep must be available to work closely with your organisation on a regular basis.

How to Appoint an EU Representative

At a bare minimum, appointing an EU representative means drafting a document that states in writing your decision to do so and including this individual’s contact details, role, and their obligations. At Spider Guard, we’ll ask all the important questions to find out IF you need an EU rep and, if you do, we’ll make sure you have everything you need in case the authorities come knocking. Once we’ve established your unique business needs, we’ll be your go-to for any GDPR and data protection questions. And if you find yourself wanting to take the next step and outsource all your data protection needs to us, EU representation is included. Our team’s expertise extends well beyond EU representation. We offer data protection officer services and privacy consulting outside the GDPR, including data breach prevention training for your staff.

In short, we can do all of the heavy lifting when it comes to GDPR and beyond.

Ready to appoint a Spider Guard EU representative? Click the ‘Speak to an Expert’ button below to schedule a consultation with one of our GDPR experts. Or you can find out more about our EU Representative service by visiting https://www.spiderguard.io/eu-representative/.

icon.png

Schedule a consultation with one of our GDPR experts.