Article 27 of the GDPR requires some organisations to appoint a representative in the European Economic Area (or “EEA” – the EU plus Iceland, Liechtenstein and Norway).
This applies to organisations outside the EEA that target customers or monitor data subjects within the EEA.
After 31 December 2020 (when the Brexit “transition period” ends), the new “UK GDPR” will also require some organisations to appoint a representative in the UK.
This will apply to organisations outside the UK that target customers or monitor data subjects in the UK.
But where exactly should a representative be based?
The new “UK GDPR” simply states that a UK representative must be “established in the United Kingdom”.
For these purposes, being “established” in the UK can involve having a UK-incorporated company. Or it can involve other kinds of “stable” physical presence – such as an office or employees.
So an organisation that is required to appoint a UK representative can choose a representative that has a subsidiary or physical presence anywhere in the UK.
It’s possible that, after the Brexit “transition” period ends, UK laws on this point could change. But there’s no indication yet of any forthcoming changes.
The EU GDPR requires that an EU representative is established in “one of” the EEA countries where its client’s data subjects are located.
In its Guidelines on the territorial scope of the GDPR, the European Data Protection Board (or “EDPB” – the group of supervisory authorities in the EEA) recommends that an EU representative should be established in an EEA country where its client has a “significant proportion” of its data subjects. But the EDPB recommends this as “good practice”. It’s not a legal requirement.
So, in other words, the GDPR requires that a representative’s client has at least some data subjects in the EEA country where the representative is established. The representative doesn’t have to be established in all of the EEA countries where the client has data subjects. Nor does it matter which EEA country the representative is based in, so long as the client has some data subjects there.
Some EU representatives may have establishments in many, or all, of the EEA States. This has advantages and disadvantages.
The main advantage is that an EU representative with establishments in multiple EEA countries can represent more clients. For example, even if a client only has a small number of European data subjects, all based in one small EEA country, an EU representative with an establishment in that country can act for that client.
But an EU representative doesn’t need to have establishments in more than one EEA country in order to carry out its role. The representative’s main role is to provide a contact point for data subjects and regulators. In principle, this can be done from anywhere in the EEA, so long as the representative makes available appropriate methods of communication – such as email and postal addresses and a telephone number. The GDPR doesn’t require a representative to offer local postal addresses or local telephone numbers in every EEA State.
There can also be disadvantages if an EU representative is established in numerous EEA countries.
Part of an EU representative’s role is to respond to enforcement proceedings in the EEA (meaning regulatory investigations and civil litigation) if its clients infringe the GDPR. Recital 80 to the GDPR states that the representative can be made “subject to enforcement proceedings in the event of non-compliance” by its clients. What this means is currently controversial, but there’s a significant chance that there may be attempts in the future to hold representatives liable for their clients’ infringements.
Enforcement proceedings of this nature can arise anywhere in the EEA. But, for reasons we’ve explained previously, a regulator or claimant bringing enforcement proceedings against an EU representative in another EEA country (where the representative isn’t based) is likely to have to translate the most important legal documents into a language the representative understands.
So an EU representative can influence what languages regulators and other litigants have to use in enforcement proceedings, by choosing where it is based.
If the EU representative has establishments in multiple EEA countries, this is likely to increase the chance that it will have to respond to enforcement proceedings in multiple languages. This can bring unnecessary translation burdens and cost.
A UK representative can be based anywhere in the UK.
An EU representative must be based in an EEA country where its client has at least some data subjects. Beyond that, the representative can choose where it is based - and the client can choose its representative taking into account the representative's location.
But that choice may affect the languages that regulators and others use if they bring enforcement proceedings in relation to the client’s infringements. This is because regulators and claimants might attempt to take action against the representative in the client’s place – and in this event, they will in principle need to translate important legal documents into a language that the representative understands.
So clients may ultimately save money and translation hassles by choosing an EU representative that shares their working language, and is based in an EEA country that uses that language – and not in other countries that don’t.
We’re an EU representative based in Ireland. We act for organisations that need a representative under the EU GDPR, and have at least some data subjects in Ireland.
We also have a UK-incorporated subsidiary that acts as UK representative for organisations that need a representative under the UK GDPR.
We’re not based in other EEA countries. This benefits our clients, by maximising the chance that any enforcement proceedings we’re involved in have to be translated for us by other parties.
To find out more about our service, you can read our FAQs or email us.
.jpg)
