GDPR representative in the EU
The figure of the GDPR representative in the EU is still quite unknown despite its full validity, which was reinforced with the current Article 27 of the GDPR.
Who needs a GDPR representative in the EU?
This is an obligation for any company that is not permanently established in the European Union and that, within the framework of its activities, offers services or goods to citizens (EU or not) within the European Union, regardless as to whether or not these are paid services or goods.
On a practical level, therefore, companies and startups from countries such as the United States or the United Kingdom (since 1 January, 2021), which offer services or products to EU citizens, have the obligation to appoint a GDPR representative.
This obligation is not related to the turnover of the company or the data processed, so it is required from a large company to a small startup alike, provided the requirements set out are met
This provision is established for both by the so-called data controllers (companies that collect data for their own purposes) and data processors, that is, providers who process or host data on behalf of or in the name of data controllers.
What is the role of the GDPR representative in the EU?
The GDPR representative must be a company or professional based in an EU Member State and that, as its name indicates, represents the non-EU company processing data from European citizens.
Among its most outstanding functions is that it represents the non-European company with regard to the data protection control authorities (such as the AEPD) or responds to requests by the data holders, again on behalf of the non-EU company.
It is essential to remember that, according to the GDPR, the “designated representative must be subject to enforcement proceedings in the event of non-compliance by the controller or the processor.
Is there a formality to fulfill?
Yes, the relationship between the GDPR representative and the represented company must be formalised in a written contract in which the duties of the representative are clearly defined, as well as aspects such as the validity of the representation and the type of processing on which the representative performs his duties.
Likewise, designation of the representative must be notified to the data protection authority of the country in which the representative is permanent established.
Who can be a representative?
Unlike the figure of the Data Protection Officer, the regulations do not require the representative to have specific training in this matter. Having said this, this is highly recommended because, as has been seen, in some cases he can be held liable for non-compliance by the non-EU company.
There is nothing to stop the representative from, in turn, being the advisor or Data Protection Officer of the company in its activities within the EU. It must be remembered that the GDPR is also applicable to non-EU companies offering services and products to European citizens, as these companies will not only be obliged to appoint a representative, but to fully comply with the GDPR.
What happens if I do not appoint a representative?
Strangely enough, the GDPR does not include any penalties for not appointing a representative when it is necessary.
However, in countries such as Spain, the regulations indicate that failure to appoint a representative, when mandatory, will be considered a serious offense (fine of up to € 10,000,000 or an amount equivalent to a maximum of 2% of the total annual overall turnover from the previous financial year, the highest of the two being chosen).
The specific regulations in Spain also include the obligation of the representative to keep the register of processing activities of the non-EU company updated.
If you need a GDPR representative in the European Union, contact us.
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.