The GDPR EU Representative under Article 27 - what it is, when you need one and Brexit effects
Updated: Apr 1, 2019
First published in Privacy Laws & Business UK Report, March 2019. under the headline "GDPR EU Representative – the “hidden obligation” and Brexit", see www.privacylaws.com
“What’s a Representative?”, “Ah, you mean the DPO?”, “We don’t process any data in the EU, so we’re fine”.
It can be frustrating when attempting to discuss the role of the EU Data Protection Representative obligation under Article 27 of GDPR with companies which may require it, and sometimes even with fellow privacy professionals, but the lack of awareness of this requirement is relatively understandable. Now, as with so many other business activities, “Brexit” is adding an extra level of confusion to the role.
Essentially, the EU Representative is required by any company which sells to, or monitors, individuals in the EU, but has no establishment (office, factory etc) in the Union. The company (or, less commonly, individual) appointed to this role acts as the point of establishment in the EU, taking on the administration and liabilities of the data controller or processor based outside. The effect of the extra-territorial nature of the Representative is that it isn’t required by companies in the EU – they are already established here – so there’s no need for them to know about it, and as a result we’re not discussing it in the EU, or including reference to this obligation in the plethora of materials which have come out of the EU in the last couple of years in the run up to, and during the initial operation of, GDPR. That makes sense; GDPR can be complicated and frightening already, without listing additional, unnecessary requirements.
The knock-on effect of this, for those companies outside of the EU which are obliged to appoint an EU Representative, is that their preparations – usually based on materials sourced from the EU (and where else would they seek their information on this EU law?) – never even touch upon this requirement. There are exceptions of course, but the issue is exacerbated by the fact that the larger multi-nationals headquartered outside of the EU which are able to justify the expense of a decent privacy consultant will usually also have an office of some kind in the EU, meaning this requirement isn’t imposed on them either.
The EU Commission hasn’t helped in spreading word of this responsibility, presumably taking the view that companies which will need to make the appointment will simply have to read the Regulation to appreciate this requirement (accusations that the Union has no sense of humour are clearly unfounded). Our organisation coined the phrase the “hidden obligation” in December 2017, to highlight this failure to spread awareness of the EU Representative role.
The EU Representative obligation – a summary
For reference, Article 27(1) states:
Where Article 3(2)* applies, the controller or the processor shall designate in writing a representative in the Union.
(NOTE: Article 3(2) gives extra-territorial effect to GDPR)
There are some exclusions and, in summary, an organisation is obliged to appoint an EU Representative if it:
Has no establishment (a location undertaking “effective and real exercise of activity through stable arrangements” [Recital 22]) in the EU, and
Sells goods or services in the EU, or monitors individuals there, and
Is not a public authority, and
Does not satisfy the occasional exemption (see the “Exclusions” section below)
Some of the vagaries of the requirement have, fortunately, been clarified by the European Data Protection Board “Guidelines 3/2018 on the territorial scope of the GDPR” (the “Guidelines”) issued in November 2018, but this clarification was to be found at the back of the Guidelines following a thorough assessment of the extra-territorial effect of GDPR and, as a result, they may also have been missed by many.
The Guidelines confirmed:
The EU Representative should be established in the EU member state where the non-EU data controller or processor has the largest number of data subjects
Notwithstanding their location in such member state, the EU Representative should be easily accessible to data subjects in other member states where the data controller or processor provides their goods/services or monitors individuals
That the Representative can be held liable for their clients’ failures to meet the requirements of GDPR
The last part was a sobering revelation to many, but simply clarified the position set out in Recital 80 of the Regulation – “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.
While the liability position may be uncomfortable for those considering – or already – providing these services, it makes sense in the context of how GDPR views the Representative role. Recital 80 is again the source of understanding this purpose – its wording implies that the Representative is there not just to be a point of contact, but to effectively act as the EU outpost of the non-EU data controller or processor (it is interesting to compare this Recital to the equivalent wording of Recital 65 of the EU Directive on security of network and information systems, better known as the NIS Directive, which imposes a representative requirement in respect of cyber security for some non-EU digital service providers, but without an assumption of liability for that representative).
This goes to the heart of the extra-territorial effect of GDPR – if there is a desire to ensure that GDPR can be enforced against non-EU organisations, it shouldn’t be possible for them to use any legal processes available in their own country to frustrate that enforcement, therefore having an additional point of legal responsibility in the Representative means that supervisory authorities in the EU have a further route to that enforcement and obtaining redress for data subjects. It is worth noting that in the Spanish law transposing GDPR (Real Decreto-ley 5/2018, de 27 de julio: https://www.boe.es/eli/es/rdl/2018/07/27/5, specifically Article 3(1)(c) of Chapter 2), Spanish courts have the option to apply equal liability to the EU Representative with their data controller/processor client, so technically Spanish authorities might be able to bring proceedings immediately to the EU Representative, without having first sought to enforce penalties against the at-fault controller/processor.
In addition to the requirement to act as the EU point of contact for the data controller/processor, the EU Representative is required to retain a copy of their clients’ records of processing (Article 30), make those records available to the supervisory authorities on request, and cooperate with the supervisory authorities on request. Although not stipulated by GDPR, a reasonable provider of the Representative service would likely also have a source of translation services and legal advice in the various EU jurisdictions, whether internal capacity or via a network of professional partners.
Exclusions from the EU Representative obligation
There are exclusions to this requirement; organisations aren’t required to appoint an EU Representative if:
They have an establishment in the EU [Articles 3(2) & 27(1)]
They are public sector organisations [Article 27(2)(b)]
Their data processing is undertaken in the course of an activity which falls outside the scope of EU law (e.g. national security, criminal activities) – this exclusion is very narrow, and will apply only in rare situations [Article 2(2)(a) & (d)]
Their data processing is (a) ‘occasional’, and (b) not ‘large-scale processing’ of sensitive categories of data or criminal offences, and (c) which is not likely to result in a risk to the rights and freedoms of people [Article 27(2)(a)].
The ‘occasional’ exemption is the least understood of these, and the author anticipates that it will be the first port of call for the legal advisors of any company which is looking to justify having not appointed a Representative. However, the exclusion is narrower than it at first appears, and having to pass all three elements of the test means that it is unlikely to apply in as many circumstances as data controllers/processors may hope.
Guidance on what constitutes ‘large scale processing’ and ‘occasional’ remains somewhat vague, inconsistent between member states and subject to challenge in court. Having said that, factors such as the number of data subjects, the sensitivity of the data, the geographical spread of the data subjects (or the undertaking of the processing activities), the portion of the controller/processor’s business to which it relates and the duration of the processing (i.e. retention periods) should be taken into consideration when coming to a decision as to whether those labels apply to an organisation.
Where should the EU Representative be based?
The wording of Article 27 originally gave some hope to organisations which wanted a simple route to their Representative appointment, and seemed to imply that any EU nation where the non-EU data controller/processor had data subjects would be acceptable:
27(3) – The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
This has been changed following publication of the Guidelines, and the new position is much more closely-focussed on delivering a good level of responsiveness for the data subjects and supervisory authorities. The Guidelines stipulate that the EU Representative should be located in the EU member state where the data controller/processor has the largest number of data subjects, and also that the Representative should be “easily accessible” to data subjects in other member states.
This new requirement makes complete sense in the context of the Representative’s purpose – if a significant part of the intended remit of the Representative is to be the point of contact for data subjects, such contact should be made as convenient as possible; there’s no point in have a Representative in Ireland or Belgium if all your data subjects are in Latvia or Hungary. In the author’s view, this is also an important aspect of the customer experience for the clients of that controller/processor – when they seek to exercise their rights under GDPR, they probably wouldn’t see any greater convenience in raising a subject access request with a Representative from which they’re separated by a number of other EU countries, compared with simply raising their request to the data controller/processor themselves outside of the EU. That view doesn’t help those companies which have appointed an EU Representative based on the GDPR wording as their primary consideration, and the presumption is – at least for this first year of GDPR enforceability – that appointments made prior to publication of the Guideline would not give rise to any significant liability for being in breach of them, although those controllers/processors which made such an appointment are no doubt looking for a more-compliant provider for their EU Representative service after their first annual appointment ends in May 2019.
In reality, the best way to be compliant with this geographical issue is to appoint an EU Representative with a number of locations around the EU, so that data subjects are easily able to raise their queries and enforce their rights conveniently in their own country, even if that country isn’t the primary market for the controller/processor – but there are few providers of the Representative service which make this possible.
Brexit – how does it affect the Representative obligation?
Firstly, it’s worth noting that the position set out below applies only in the event of a ‘no-deal’ or ‘hard’ Brexit, where the UK leaves the European Union without an agreement on how to divorce amicably. If the UK does agree a deal with the EU, there is expected to be a transition period after the UK’s supposed exit date, during which it is likely the present position will continue: with the UK being effectively an EU member state for the purposes of the Representative requirement. At the date of writing this article (and – probably – the date of its publication), there is no clarity on whether this will be the case. I will avoid adding to the proliferation of commentary on the relative merits of either Brexit outcome.
The easiest way to think about the changes to the EU Representative role after Brexit is that we move from two different areas to three – from (1) EU and (2) ‘rest of the world’; to (1) EU, (2) UK and (3) ‘rest of the world’.
Why is it that the UK doesn’t just drop into the ‘rest of the world’ category? The answer lies in the way that the UK has transposed GDPR into law, and the prospective law which they have put in place to prepare for the ‘no-deal’ scenario.
The relevant data protection law which will apply in the UK in the event of a no-deal Brexit on 29 March is “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019” (the “Amending Regulations”). This alters the existing Data Protection Act 2018 (the “Act”), which incorporates GDPR into UK law, in a number of ways – most of which are to alter to the UK any reference in GDPR applying to the EU. The way the implementation of Article 27 into UK law is altered by the Amending Regulations is that an equivalent obligation is created for non-UK organisations to appoint a UK Representative, as currently exists for non-EU organisations to appoint an EU Representative.
The full effects of this are set out in the table below, but in summary (subject to the exclusions set out above):
Companies in the UK will need to appoint an EU Representative if they sell to, or monitor, people in the EU and have no EU establishment
Companies in the EU will need to appoint an UK Representative if they sell to, or monitor, people in the UK and have no UK establishment
Companies in the rest of the world (not EU or UK) (a) will need to appoint an EU Representative if they sell to, or monitor, people in the EU and have no EU establishment, AND (b) will need to appoint an UK Representative if they sell to, or monitor, people in the UK and have no UK establishment
The effect of the Amending Regulations is that many companies around the world will have gone from needing a Representative they didn’t know about, to needing two; and for companies in either the EU or the UK – which have never needed to be concerned about the Article 27 obligation (and are even-less likely to know about it than those non-EU organisations to which it does apply) – may suddenly need to add this appointment to their data protection checklist.
Whilst the temptation is to lament the lack of publication around these issues, the absence of clarity on the eventual Brexit position means that organisations, both public and private, have been hesitant to spend time on possibilities which may never come to be. The UK government, and the vast majority of the parliament, is still indicating that it would prefer to leave the EU with a deal rather than simply drop out of the EU on 29 March and revert to basic World Trade Organisation rules for international trade, and that is the position taken by most businesses as well. If the deal is agreed, the issues around appointing a Representative by or for UK operations will cease to apply – at least until the eventual expiry of the transition period (a period anticipated to be 21 months, up until the end of December 2020).
The Brexit Representative – what now?
The result is that most companies’ Brexit preparations, at least in those areas not related to their immediate continuing operations (e.g. obtaining goods or materials, shipping products overseas), are being left to a wait-and-see approach. I sympathise entirely with this approach, and view with amusement any suggestions from UK authorities that companies should be fully prepared, when the situation they would need to prepare for remains unknown.
However, with a no-deal Brexit looking more likely by the day, there is some value for UK companies in getting basic preparations in place for data protection issues, including appointing an EU Representative – this can be done by at least one provider on a ‘No Brexit, No Fee’ basis to prevent having to proceed with the appointment if a withdrawal deal is agreed between the UK and EU.
In conclusion then, the “hidden obligation” to appoint a Representative under Article 27 of GDPR is coming to a country near you – be prepared!
DPR Group is a leading provider of the EU Representative service, and the only EU Representative with contact locations in all 28 EU member states (27 + UK), enabling it to represent non-EU organisations regardless of where their data subjects are based, as well as offering the UK Representative service if required after Brexit. Please raise any inquiries to firstname.lastname@example.org.