Does Your Company Need an EU Representative?
GDPR applies to nearly all businesses that operate in the EU and process data on EU subjects. Here’s how to find out if you need to comply with EU GDPR rules and if you need an EU representative.
A quick overview of GDPR
GDPR (The General Data Protection Regulation 2016/679) is an EU regulation on data protection and privacy. The law applies to any business that processes data on EU subjects. So, even though it comes from the European Union, GDPR applies to companies that are selling to or serving customers situated in the European Union and European Economic Area. This law should be taken seriously; the fines can be astronomical.
The original GDPR laws make up the basis of the UK GDPR laws, however the two are not the same. Read more about UK GDPR and whether your business needs a UK GDPR representative here.
What are the roles of a GDPR representative?
A GDPR representative is an authorised agent, able to receive legal documents on behalf of the company, which relate to EU security notices and data privacy. They also maintain records of data processing activities and share these records with national data protection authorities where required.
When do companies need EU representatives?
Under Article 27 of GDPR, it is a legal requirement for any company that is providing goods and services to EU citizens and is not established in the EU to have an EU representative. Typically, larger companies with more than 250 employees, process personal data on a daily basis or process sensitive data required to have an EU representative.
Do GDPR representatives need to be qualified?
A representative does not need to hold specific qualifications to perform the role; they can also be an individual or a company (some companies offer GDPR representative services). Despite no obligation to hold qualifications for the role, an EU representative is presumed to be close to an expert on GDPR, to help minimise bad data handling (non-compliance with GDPR) and subsequent consequences for such non-compliance. As such, it is recommended that organisations appoint privacy professionals with previous experience in interacting with both supervisory authorities and handling data subject requests.
Where must your EU representative be located?
The representative must also reside in the EU member state where the data originates; so if a Brazilian company collects and processes data from data subjects in Finland, the GDPR representative must be located in Finland. If the company is collecting, processing, or storing data from multiple EU member states, then it is at their discretion to choose a location where the representative will be located.
How to appoint a EU GDPR representative
An EU representative must be appointed in writing according to the law.
When appointing a representative, your GDPR representative appointment letter must include:
- Your company’s name and address
- Your EU representative's name and contact details
- Per Article 27 of GDPR, a reference to the company’s need to appoint a representative
- Conditions of the appointment including hours, termination notice, and pay
- Clauses that balance liability and an indemnity clause
- A Non-disclosure Agreement (NDA)
This letter is an official notice required by GDPR for the nomination of a GDPR representative. It is also the basis of a contract between the company and the representative.
In instances of proceedings brought against your company by the EU, under the contract set out between yourself and the EU representative, the EU can bring proceedings against your GDPR representative in the event that your company cannot be reached.
Choosing an EU representative that’s right for you
Appointing an EU representative can be relatively straightforward. Things to consider when choosing your representative include what kind of experience they have and where they are located. Also consider the costs and terms of service. Finally, think about their flexibility of service and if they may be able to offer further data protection and privacy-related services further down the line.
If you’re not sure which privacy requirements apply to your business, speak to a member of the Legal Nodes team and we’ll get you started on the correct route for GDPR compliance and good data management practice.