GDPR FOR NON-EU COMPANIES
One of the most discussed topics for the past few years in EU when it comes to compliance is the new General Data Protection Regulation (GDPR) with its strict rules, high sanctions and broad scope.
Even after all of these discussions there are still some grey areas in the GDPR understanding and implementation, especially when it comes to the compliance required by non-EU companies. That is why below you may find a short overview of one of the most important and less discussed obligations of non-EU companies subject to the GDPR rules.
When and why you are obliged to appoint a GDPR EU Representative?
GDPR is the main substantial EU law with mandatory rules for how companies and other organizations must collect and use personal data of individuals in a lawful manner.
GDPR has broad territorial scope and applies also to the controllers/processors outside the EU who process personal data in relation to one of the following:
- offering products/services to EU citizens, or
- monitoring EU citizens’ behaviour taking place within the EU.
After 01.01.2021 UK is officially no longer part of the European Union, so the UK companies processing personal data of EU citizens (e.g. email, delivery address, name, etc.) are affected as well.
If the non-EU company has no physical presence in EU, i.e. has no local branch, office, other kind of legal establishment, then the company must appoint a special representative on the territory of the EU (GDPR EU Representative) facilitating the communication between the non-EU company on one hand and the data subjects and data protection authorities on the other, with regard to the personal data processing issues.
What data protection obligations the non-EU companies have? Why to comply with the EU data protection rules?
We may separate the obligations of the non-EU companies dealing with EU citizens personal data into two main groups:
- Firstly, all these companies need to meet the requirements in respect to personal data transfers and personal data processing in compliance with the substantial rules set by GDPR.
- Secondly, the companies not having any physical appearance in any of the Member States, are obliged to appoint a GDPR EU Representative, which is a specific requirement introduced in Art. 27 of the GDPR.
Any non-EU based data controller or data processor must appoint their GDPR EU Representative before they start dealing with personal data of EU citizens and must include the details of the GDPR EU Representative in their privacy notices in order to comply with the GDPR rules.
How to appoint a GDPR EU Representative?
Once you find your trusty partner based within one of the EU Member States, you need to sign a contract where the rights and obligation of your company and your GDPR EU Representative are clearly defined.
As a second step, you are obliged to announce the name and contact details of your GDPR EU Representative in your privacy notice available to all data subjects (usually published, for example, on your website) prior to the collection of their data. Information about the GDPR EU Representative must be easily accessible for the data protection authorities as well.
Who can be your GDPR EU Representative?
There are lots of niche firms specialized in providing such kind of services. Most of the firms acting as GDPR EU Representatives are in collaboration with legal advisors helping them to meet all legal requirements on EU and local level and to deal with the more complex matters as well.
In our practice, our data protection team, is on a daily basis involved in the process, while acting as GDPR EU Representatives of non-EU clients.
It is of importance to be outlined that the main requirement for a Representative is to be established in one of the EU Member States where the data subjects are located. If you trade in more than one Member States, it is a good practice but not mandatory to appoint your GDPR EU Representative in the Member State where the largest number of the data subjects (your clients in most of the cases) are based.
For example: If you are a company based in China, offering and delivering goods in Europe, you are free to appoint your GDPR EU Representative in any of the Member States where you distribute your goods. Thus, you may appoint a GDPR EU Representative in Bulgaria, although most of your clients are based in other Member States. Anyway, it is a good practice to evaluate in which Member State are based the largest number of your clients and to find a trusty partner there to be your GDPR EU Representative.
What is the role of the GDPR EU Representative?
The main role of the GDPR EU Representative is to act as a point of contact and to facilitate the communication with data subjects based in the EU and data protection supervisory authorities in all Member States.
The GDPR EU Representative is obliged to hold and maintain the records of processing activities of the data controller/processor. The Representative is also responsible for timely provision of these records when requested by any EU data protection supervisory authority.
What else the GDPR EU Representative may do for you is to assist your non-EU company with potential data breach notifications to the data protection authorities.
What is the liability of the GDPR EU Representative?
The general rule still is that the liability for non-compliance with the GDPR obligations falls on the data controller/processor. It is data controller’s/processor’s liability to collect and process personal data in a lawful manner.
On one hand, the GDPR EU Representative’s responsibility is only to maintain updated version of the records of processing activities and to be able to provide them to the requesting data authority in a timely manner. Being a point of contact on the other hand, makes it questionable whether the supervisory authorities may address to the EU Representative not only information requests, but any corrective measures or administrative fines and penalties imposed on the non-EU data controller/processor, including to keep the Representative responsible for fulfilment of these measures.
Different data protection supervisory authorities have different approach and the court practice within the courts in the Member States is still not consistent. However, the EDPB’s guidance, adopted on 12 November 2019 states that “The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union”. The intention (the EDPB now says) was actually “to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union” by addressing notices etc. to them, but not “to hold a representative directly liable” (representatives are directly liable merely in respect of keeping a record of processing activities, under Article 30 and in respect of providing information to supervisory authorities when ordered to do so, under Article 58(1))”.
General advice to non-EU companies subject to the GDPR strict requirements:
If your company is obliged to appoint its GDPR EU Representative, the core issue is to find a trusty and experienced partner to deal with the data protection authorities and data subject requests in the EU the best possible way on your behalf.