GDPR representatives are appointed by organisations outside the EEA (or, after Brexit, outside the UK) in order to comply with obligations under the GDPR (or the new “UK GDPR”).
Representatives provide a contact point for data subjects and supervisory authorities in Europe.
And, for reasons we’ve explained previously, there’s a significant chance that representatives provide a redress mechanism for data subjects and supervisory authorities in Europe. In other words, representatives could be liable to pay financial penalties or compensation if their clients infringe the GDPR.
What are the risks?
Financial penalties under the GDPR can be higher than €20 million. So can awards of compensation in litigation. When a representative accepts appointment by a new client, it accepts at least the possibility of liabilities on that scale on behalf of the client.
If the representative incurs a liability on behalf of a client, and the client transfers funds to enable the representative to meet that liability, the risk to the representative may be minimal.
But if the client does not or cannot transfer funds, the representative may be left to meet a liability in the EEA incurred because of its client’s actions.
How can a representative manage its risks?
There are three principal methods by which a representative can manage the risk of being left to meet a liability in the EEA.
Due diligence
First, the representative can undertake due diligence before accepting its appointment – and possibly at intervals throughout its appointment – aiming to identify problems before they arise.
Legal due diligence will involve understanding the kinds of data processing that the client carries out, the number of data subjects affected, and the strength of the client’s GDPR compliance arrangements.
This will help the representative to assess the likelihood and magnitude of potential liabilities.
Financial due diligence will involve understanding the client’s financial health and its ability to meet potential liabilities arising from a serious infringement (such as a large-scale data breach) – which could include liabilities in multiple jurisdictions.
Recovery mechanism
Second, the representative can put in place a recovery mechanism designed to maximise the chance that any liabilities are reimbursed to it.
This is likely to require clear contractual rights to repayment of any financial liabilities that the representative incurs as a result of its client’s actions.
It will also require an enforcement strategy. This includes choosing which system of law will govern the representative’s service agreement, and which courts or other bodies will have jurisdiction over the agreement – based on how accessible and reliable they are, and how easily their judgments can be enforced in the client’s home country.
Additional protections
Third, the representative may put in place other financial protections against situations in which the representative’s due diligence and recovery mechanism do not provide full protection.
Possibilities may include bonds, bank guarantees and insurance, depending on the circumstances. We’ve described some of the options previously in more detail.
It seems likely that none of these financial mechanisms will be universally available, none will be cheap, and none will fully cover the representative’s risks on its own.
In practice, resilience for representatives will probably involve a blend of these and other possibilities, and may differ from client to client depending on the risks identified through due diligence.
How DataAgent can help
We’re a GDPR representative based in Ireland. We’re also located in the UK, and ready to act as a “UK representative” after the Brexit transition period ends.
We were founded in the expectation that there will be attempts to hold representatives liable for their clients’ breaches of the GDPR. Our mission is to provide best-in-class service guarantees and resilience for these situations.
For most clients, we charge no more than two hours of your usual lawyer’s time each month. Our monthly fees cover all our time for the lifetime of your subscription – no matter what happens.
You can email us to find out more.
.jpg)
