The General Data Protection Regulation – Requirement to Appoint a Representative

Introduction

On 1st January 2021, absent a deal between the UK and the EU on data protection, it will be necessary for UK-based entities whose personal data processing activities are subject to the General Data Protection Regulation (GDPR) to appoint an EEA-based representative if they do not themselves have an EEA-based affiliate or branch.

How do you know if this applies to you?

If you are UK-based and process personal data as either a controller or a processor and you do not have a branch, office, or other establishments in any other EU or EEA state, but you process personal data in:

• offering goods or services to individuals (data subjects) in the EEA; or
• monitoring the behaviour of individuals (data subjects) in the EEA,

You still need to comply with the GDPR in respect of this processing with effect from 1st January 2021. If so, then you must appoint a representative which is established in a member state in which the relevant data subjects reside.

If you want chapter and verse, the relevant GDPR provisions are Recital 80 and Article 27.  The Information Commissioner’s Office (ICO) guidance is here (it’s relatively brief), and the European Data Protection Board (EDPB) guidance is here (see page 23 onwards).  

What are the obligations of the Representative?

The representative must:

• be an individual, company or organisation be established in the same member state as some of the relevant data subjects;
• be appointed by written mandate to act on behalf of the controller or processor. The written mandate must set out the tasks allocated to the representative which must include cooperating with the relevant supervisory authority and data subjects for the purpose of ensuring compliance with GDPR;
• be identified in the controller/processor’s privacy notices;
• not be the same as an organisation’s external DPO or a data processor (due to potential conflicts of interest); and
• keep a record of the processing activities under the responsibility of the processor or controller (in addition to the controller/processor’s separate obligations to keep its own records of its processing activities).

The purpose of the representative is to facilitate enforcement action and communication with data subjects.  However, it is somewhat unclear what form such enforcement action would take in practice: Recital 80 states that the representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor, but the EDPB’s view is that supervisory authorities cannot find representatives liable for breaches by the controller or processor (only for the representative’s own failings to keep records, as required by Article 30). As such, the representative will likely occupy a similar role to a process agent, relaying communications between supervisory authorities and UK-based controllers/processors. As it is not yet clear exactly how the role will function, and the current guidance is not entirely consistent with the legislation, representatives may seek indemnities for any liability they incur as a result of controller or processor non-compliance.

Are there any exceptions?

Not many. The obligation to appoint a representative does not apply to processing which is

• is occasional;
• does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences; and
• is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.

So if this applies to you what must you do?

If the obligation applies you will need to find a representative, agree mandate terms, and enter into a written agreement which reflects the mandate and amend your privacy policy to inform data subjects of the identity of the representative.. There does not appear to be any obligation to register the representative with any supervisory authority. We are discussing this with a number of companies which are considering offering representative services.

If you need advice on whether the obligation requires you to appoint a representative or the terms on which a representative has offered to act on your behalf or would like us to introduce you to potential representatives, please contact the authors or your usual contact.

Click to view the full alert.

The views expressed herein are solely the views of the authors and do not represent the views of Brown Rudnick LLP, those parties represented by the authors, or those parties represented by Brown Rudnick LLP. Specific legal advice depends on the facts of each situation and may vary from situation to situation. Information contained in this article is not intended to constitute legal advice by the authors or the lawyers at Brown Rudnick LLP, and it does not establish a lawyer-client relationship.