Article 27 of the GDPR requires some organisations with no physical presence in the European Economic Area (EEA) to appoint a representative in the EEA. This will include some UK organisations after the Brexit “transition” period ends on 31 December 2020.
A GDPR representative has three essential tasks: acting as a contact point for data subjects and supervisory authorities in the EEA, managing Article 30 records, and responding to litigation and regulatory investigations.
There are more than 20 official languages in the EEA. The GDPR doesn’t specify which languages a representative should use when carrying out its tasks. But there are some practical tips and guiding principles that might help to provide answers.
1. Communications from data subjects
Each organisation knows which languages it normally uses to communicate with data subjects.
It’s a fair assumption that data subjects will normally use those same languages if they instigate communications with the organisation under the GDPR.
It’s probably also quite likely that data subjects will use the same languages if their communications are sent via the organisation’s representative rather than directly to the organisation itself.
This means that a representative should, as a priority, be prepared to handle communications in its clients’ usual business languages.
Of course it’s possible that data subjects might choose to communicate in other languages. The organisation and its representative might choose to show a degree of flexibility in how they respond, depending on the nature of the data subject’s communication.
If necessary, a machine translation of the communication should usually provide enough information for the organisation and its representative to decide together what to do next – including whether formal translations are required, and how to respond.
2. Subject access requests
In the same way, it’s a fair assumption that data subjects will normally submit “subject access requests” under Article 15 of the GDPR (also known as “DSARs”) in the language of their usual relationship with an organisation.
But it’s possible that DSARs could be submitted in other languages – both directly to the organisation, or via the organisation’s representative.
Here, again, the organisation and its representative might choose to show a degree of flexibility in deciding how to respond to a request submitted in a different language. Depending on the situation, this might first involve the use of machine translations, then further formal translations if necessary. Ideally there will be clear processes for cooperation between the representative and its client covering these situations.
Of course translating all the personal data that is retrieved by an organisation in response to a DSAR may prove very time-consuming and expensive. As we’ve posted before, there are legal precedents suggesting that, if the data subject has previously shown the ability to deal in the language that personal data is stored in, translating that personal data into a different language may not be required when responding to a DSAR.
But this might depend on the circumstances. The organisation and its representative may need to work together to determine how individual DSARs are handled.
3. Communications with supervisory authorities
An organisation with no physical presence in the EEA does not benefit from the GDPR’s “one-stop-shop”, and so may be subject to enforcement action by any supervisory authority in the EEA. The organisation’s representative may similarly be “addressed by any supervisory authority” in relation to its client’s compliance, as recital 80 to the GDPR makes clear.
The European Data Protection Board (or “EDPB” – the group of supervisory authorities in the EEA) has said that representatives should “in principle” be prepared to communicate in the various languages used by the supervisory authorities. But this is not reflected in the GDPR’s wording.
The EDPB’s opinion seems unlikely to mean that Article 30 records have to be maintained in all EEA languages, or that they have to be translated on request for any supervisory authority.
Similarly the EDPB’s opinion won’t necessarily mean that the organisation and its representative are required to respond to a communication from a supervisory authority in the same language that the supervisory authority uses.
Some organisations may choose to show a degree of flexibility in responding to communications from supervisory authorities that use languages “foreign” to the organisation and its representative. Once again, in this context it’s likely to be important that mechanisms are in place for the organisation and its representative to cooperate in deciding how to respond – including on such questions as when legal advice is required, and how it is arranged and paid for.
In practice, most supervisory authority communications – and requests for Article 30 records – are likely to be received in the course of regulatory investigations. There are reasons to think that supervisory authorities don’t have a free choice in the languages they use to carry out investigations.
4. Regulatory investigations
Can a supervisory authority simply use its own preferred language when taking enforcement action in relation to a GDPR infringement by an organisation outside the EEA?
As we've explained previously, judicial decisions suggest that regulatory enforcement action amounts (for legal purposes) to quasi-criminal proceedings. This means that the organisation facing investigation is entitled to receive important documentation in the proceedings in a language it understands.
On the other hand, as we’ve also explained, recital 80 to the GDPR suggests that a representative can be the subject of investigation into its client’s infringements of the GDPR, and can face financial penalties as a result. In other words, the central part of the representative’s role may be to provide an accessible "target" (or redress mechanism) for supervisory authorities and data subjects within Europe.
In this situation, the same judicial decisions suggest that key documents in any investigation against the organisation’s representative would have to be translated by the regulator into a language the representative understands.
Ideally this would be a language that both the representative and its client work in – their shared working language – so that both the representative and the client can readily understand the documents, and additional translations aren’t needed.
As we’ve argued before, in order to maximise the chance that documents in investigations against the representative are translated by the regulator into the shared working language, the representative should be based in a country that uses that shared working language – and not in countries that don’t.
5. Litigation
Data subjects have the right to bring claims for compensation in the courts in the EEA if their rights under the GDPR are infringed.
Those claims can be brought against organisations without any presence in Europe. But enforcing court judgments against organisations outside Europe can be complex.
For this reason, data subjects might instead choose to sue the organisation’s representative in Europe, based on recital 80 to the GDPR – in other words, seeking compensation from the representative for its client’s infringement of the GDPR.
Claims against a representative can be brought in the courts in the country (or countries) where the representative is based. In these situations, the claim is likely to be brought in the language used in the courts where the claim is started.
Alternatively claims against a representative can be brought in the data subject’s home country. In these situations, the claim is likely to be brought in the language used in the data subject’s "home" courts. But, at least where the data subject and the representative are based in different EU States, the EU Service Regulation seems likely to require that the claimant translates the most important documents into a language the representative understands (or a language that is used where the representative is based).
So, if the representative has its only base in a country that predominantly uses the working language that the representative and its client both share, there’s a good chance that important documents in litigation will have to be translated by other parties into that shared working language. This will minimise the need for the representative and its client to arrange, and pay for, translations in litigation.
6. Some conclusions
These points suggest some conclusions about the languages that a GDPR representative should speak.
First, a representative should be prepared to handle communications in its clients’ usual business languages. This is because data subjects are likely to use those languages in their communications.
Second, the representative and its client should ideally have a shared working language – for obvious practical reasons, and to remove any need for translations between them.
Third, it’s likely to be helpful if the representative is based in a country that uses that shared working language (and not in countries that don’t). This will maximise the chance that important documents in regulatory investigations or civil litigation will have to be translated into the shared working language by other parties – reducing the need to arrange additional translations.
Fourth, responding to communications from data subjects and supervisory authorities is likely to require cooperation between an organisation and its representative. For this purpose, ideally there should be clear processes for cooperation between the representative and its client, including for deciding what to do next if data subjects or supervisory authorities communicate in other languages. This will cover matters such as when and how formal translations are obtained and how the costs are met.
Fifth, there should be the same cooperation and processes for more strategic decisions – such as whether to challenge an attempt by a supervisory authority to communicate in a different language, or whether to reject attempts to serve documents in litigation on the representative in a different language. Ideally this will form part of a clear framework for cooperating more broadly in situations where communications are received from data subjects, enforcement action is commenced by supervisory authorities, or data subjects bring litigation against either the representative or its client.
In practice, these points are probably more important than an ability to speak all of the 20+ official EEA languages.
How DataAgent can help
We’re a GDPR representative based in Ireland. We’re also located in the UK, and ready to act as a “UK representative” after the Brexit transition period ends.
We were founded in the expectation that there will be attempts to hold representatives liable for their clients’ breaches of the GDPR. Our mission is to provide best-in-class service guarantees and resilience for these situations.
For most clients, we charge no more than two hours of your usual lawyer’s time each month. Our monthly fees cover all our time for the lifetime of your subscription – no matter what happens.
To find out more, please contact us.
.jpg)
