Brexit : in which cases should a GDPR representative be appointed within the EU?
Since Brexit, the GDPR has created an obligation for UK companies to appoint a representative in the EU. Is your business affected by the appointment of the representative? We answer all your questions.
1. Who is affected ?
The obligation to appoint a representative in the EU is governed by the General Data Protection Regulation (GDPR). This obligation applies to foreign companies, including UK companies that do not have a branch, office or establishment in the EU.
However, the obligation applies primarily to foreign organisations that offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU.
However, there are three exceptions to the requirement for European representation. They concern:
- Public organisations ;
- Occasional processing or processing relating to criminal convictions ;
- Companies that have a principal place of business in an EU country.
2. What is the role of the representative in your company ?
The GDPR representative, as its name indicates, represents and acts on behalf of its representative in the exercise of its mission. Your company will have to define in writing the conditions of the relationship between the parties to the representation mandate.
Please note that the role of representative is incompatible with the independent exercise of your company’s functions and the tasks of the data protection officer.
3. What are the representative’s obligations ?
The GDPR provides for three mandatory obligations on the representative.
Firstly, the representative must be the point of contact with the supervisory authorities. The representative must cooperate with the relevant supervisory authorities in relation to any action taken to ensure compliance with the GDPR. The representative must be able to facilitate any exchange of information.
Secondly, the representative must be the body to which data subjects can turn to exercise their rights. The representative must facilitate communication between the data subjects and the body located abroad so that the exercise of the data subjects’ rights is effective. The availability of a representative is therefore essential.
Finally, the representative must keep a register of the processing activities carried out in the EU territory. He keeps a register of all categories of processing activities carried out on behalf of his representative. At the same time, the latter must provide his representative with all accurate and up-to-date information so that the register can be kept and updated.
4. What are the responsibilities of the representative?
The representative in the EU is indeed liable under the GDPR. Firstly, he is responsible for all his obligations under the GDPR.
The representative must also comply with the obligations of the mandate he has signed with his agent. The representative is therefore not liable for non-compliance relating to elements of which he was unaware. For this reason, it is absolutely imperative that the mandate of representation is well framed and that there is full cooperation between the parties.
Finally, the GDPR does not establish a substitute liability of the representative in place of the agent he represents in the Union.
Deshoulières Avocats provides you with legal and technical recommendations to ensure compliance with the GDPR. We accompany you at each step of your GDPR compliancy thanks to our 20-step methodology.