FREQUENTLY ASKED QUESTIONS
CAN MY DPO BE MY EU REPRESENTATIVE AS WELL?
No, Guidance issued by the European Data Protection Board (click this link to view) in November 2018 has clarified that there is a potential conflict of interest between the roles of the Data Protection Officer and the EU Representative.
MUST THE DATA PROTECTION REPRESENTATIVE BE AN INDIVIDUAL PERSON?
No, the Data Protection Representative can be a company - it must be a legal person (which includes a company), but doesn't have to be a natural person (an individual).
If appointed by you, DPR Group becomes your Data Protection Representative in the EU, able to accept and manage communications on your behalf.
I HAVE A DATA PROTECTION OFFICER (DPO) / I DON'T NEED A DPO, AM I OK?
No, the obligation to have a DPO is a different obligation (under Article 37 of GDPR). The DPO is responsible for oversight of data protection strategy and compliance with GDPR, and works within your business.
A Data Protection Representative is based in the EU member states where your customers live, and is their local point of contact for raising data requests with your business.
WHERE SHOULD MY EU REPRESENTATIVE BE BASED? / DO I NEED TO BE REPRESENTED IN EVERY MEMBER STATE OF THE EU?
Guidance issued by the European Data Protection Board (click this link to view) in November 2018 has clarified this. You should appoint an EU Representative which is established in the EU member state where you have the largest number of data subjects, and data subjects in other EU member states should have easy access to the Representative as well.
DPR Group has representation and a physical postal address in every EU member state, giving equal access to all persons and protecting our clients against accusations that they have not properly catered for the needs of individuals in the EU.
THIS SEEMS ODD - HOW CAN THE EUROPEAN UNION ISSUE MY NON-EU COMPANY WITH A MULTI-MILLION EURO FINE?
It is one of the key European Union principles that the rights of individuals are protected, and this protection extends out from the EU to the rest of the world ensuring that, in the modern world of de-centralised data, the privacy of European citizens is protected when it leaves the Union.
Some businesses have struggled with modern data protection practices, and are concerned with the consequences of an increasingly-likely data breach, with the reputational damage that results. If you require assistance in this area, please contact us so we can discuss your requirements.
In order to meet the needs of the EU market, the GDPR protections are likely to become standard across most multi-national companies.
THE INTERPRETATION OF GDPR IS STILL UNCLEAR, WHY NOT WAIT UNTIL THERE IS A BIG FINE FOR SOMEONE ELSE, AND THEN CHANGE?
The European Court of Justice has consistently supported the right of individuals to keep their data within their control. The Schrems case is the best-known example, where an Austrian Facebook member took the social media giant to court for potentially allowing their data to be accessed by the National Security Agency in the USA, and the subsequent collapse of the US-EU Safe Harbour Scheme, but others like the recent WhatsApp case in the Netherlands show that the most sensible interpretation of EU data protection law is that it will be determined to the benefit of the individual.
It's also possible that the level of fine may increase depending on the point at which a data controller or processor begins to act on GDPR regulations, with those businesses that only choose to act after the expiry of the two year grace period (ending 25 May 2018) potentially receiving larger fines.
There is one other aspect to consider - protecting the data of your customers can be a substantial benefit to your business when seeking to acquire and retain customers, who are increasingly conscious of how their data is stored and used.
MY BUSINESS IS BASED IN A COUNTRY WHICH HAS AN 'EQUIVALENCY' RULING OR IS COVERED BY THE PRIVACY SHIELD - DO I STILL NEED A DATA PROTECTION REPRESENTATIVE?
The EU recognises some countries as having data protection laws which are equivalent to those in the EU. These are the other EEA countries (Iceland, Liechtenstein and Norway) as well as Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. The EU permits transfers of data to these countries without extra measures being put in place, such as binding corporate rules etc. The USA has a similar arrangement via the 'Privacy Shield', the replacement for the failed 'Safe Harbour'.
BUT, this does not remove the need for a Data Protection Representative. The equivalency ruling relates to data transportation across international boundaries but makes no difference to the obligation on a non-EU data controller or processor requiring an EU-based Data Protection Representative under Article 27.
WHAT ABOUT THE UK AND BREXIT?
The UK will still be part of the EU when enforcement of GDPR commences on 25 May 2018, so the UK will be subject to GDPR at that time.
It is not currently clear what will happen after the UK leaves the EU, but it is likely at some point that those data controllers and processors in the UK which have customers in the EU will be placed in the same position as other non-EU based businesses on the commencement of GDPR, and those UK businesses will also require an appointed Data Protection Representative. The timescale over which this will occur is currently unclear.
However, because the UK will want to continue to be able to share data with the EU post-Brexit, it is expected that the UK will put in place similar obligations to GDPR, so the position of businesses who control of process the personal data of UK citizens are likely to be in the same position. You can read about our Brexit-related services here.