Home
FAQs

What is "special category data"?

We use the term “special category data” to mean personal data which is subject to additional restrictions under Articles 9 and 10 of the EU GDPR and UK GDPR.

This includes:

-         information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation;

-         genetic data;

-         biometric data used for the purpose of identifying individuals; and

-         information about criminal offences, convictions and punishments.

01. About Our Services

Which EEA countries does DataAgent work in?

We are based in Dublin, Ireland.

We communicate with data subjects and supervisory authorities throughout the EEA. But we don’t set up “postbox” addresses in other countries. This is in our clients’ interests.

We’ll be happy to explain – please contact us.

What languages can DataAgent work in?

We’re native English speakers. For other languages, please contact us.

What is the DataAgent network?

We have a network of lawyers and other professionals from our work in EU litigation and investigations. We know, or know how to find, the right cost-effective expertise in the right country when it’s needed.

How much does our service cost?

For most organisations, a subscription to our service will cost roughly the same as two hours of your usual lawyer’s time each month.

We don’t charge anything else for our time, for the lifetime of your subscription – no matter what happens.

What happens if there is litigation or enforcement action?

If there are legal or regulatory proceedings in the EEA or UK in relation to our clients’ data protection compliance, we help choose the right legal team and consult with our clients at each step.

We provide detailed service guarantees for these situations, which we will be happy to explain – please contact us.

Can I appoint DataAgent as my UK representative?

If your organisation needs a UK representative, you can appoint DataAgent.

We can also act as both UK representative and EU representative if your organisation requires both.  

If you have questions about this, please contact us.

Can I appoint DataAgent as my EU representative?

DataAgent can be your EU representative if:

-         your organisation needs an EU representative; and

-         your organisation processes the personal data of data subjects who are in the Republic of Ireland.

This means that, before DataAgent can be your EU representative, you must handle at least some personal data of individuals in Ireland.

Individuals in Ireland do not need to make up a large part of your database or customer base, and it doesn’t matter if you predominantly target other EEA countries. It’s simply necessary that the personal data which your organisation holds includes some information about individuals in the Republic of Ireland.

If you have questions about this, please contact us.

Does my organisation need a UK representative?

If your organisation is regulated by the UK GDPR but isn't established in the UK, you're likely to need a UK representative.

This means that, in principle, your organisation will need a UK representative if it:

-         doesn't have a continuous presence in the UK (such as a subsidiary, shop, warehouse, office or UK-based employees); but

-         does either monitor the behaviour of UK data subjects or target customers in the UK.

There are exceptions, but they’ll rarely apply to commercial organisations.

If you need to understand your own specific situation, we recommend independent advice.

Does my organisation need an EU representative?

If your organisation is regulated by the EU GDPR but isn't established in the EEA, you’re likely to need an EU representative.

This means that, in principle, your organisation will need an EU representative if it:

-         doesn't have a continuous presence in the EEA (such as a subsidiary, shop, warehouse, office or EEA-based employees); but

-         does either monitor the behaviour of EEA data subjects or target customers in the EEA.

There are exceptions, but they’ll rarely apply to commercial organisations.

If you need to understand your own specific situation, we recommend independent advice.

What counts as "targeting customers"?

If your organisation takes specific steps to provide goods or services to customers in the EEA, this is likely to count as targeting EEA customers.

Similarly, if your organisation takes specific steps to provide goods or services to customers in the UK, this is likely to count as targeting UK customers.

Examples of specific steps aimed at EEA customers might include:

-         Making sales in an EEA currency

-         Translating your website into an EEA language

-         Offering specific terms and conditions or delivery options for customers in the EEA

It’s not necessary in this context that you charge for your products or services. For example, taking specific steps to attract customers to a free online service can also count as “targeting” those customers.

What counts as "monitoring the behaviour" of data subjects?

If your organisation tracks or records what individuals do on the internet (such as their clicks, website visits or video views), this can count as monitoring the behaviour of data subjects.

If your organisation records offline activity of individuals – such as attendance at events or movements around retail environments – this may also count as monitoring their behaviour.

If you are in these situations and want to understand your legal position, we recommend specific legal advice.

Who is regulated by the UK GDPR?

The UK GDPR regulates organisations which process personal data, and which:

-         are established in the UK; or

-         are not established in the UK, but either (a) monitor the behaviour of data subjects in the UK, or (b) target customers in the UK.

In general, organisations which are not established in the UK, but are regulated by the UK GDPR, do need a UK representative.

Who is regulated by the EU GDPR?

The EU GDPR regulates organisations which process personal data, and which:

- are established in the EEA; or

- are not established in the EEA, but either (a) monitor the behaviour of data subjects in the EEA, or (b) target customers in the EEA.

In general, organisations which are not established in the EEA, but are regulated by the EU GDPR, do need an EU representative.

What does “established” mean?

Your organisation doesn’t have to be incorporated in the EEA or UK to count as “established” in those jurisdictions.

For data protection purposes, your organisation is likely to be “established” in a jurisdiction if it has a continuous presence there – which might be a subsidiary, a shop, a warehouse, an office or even just an employee based in the jurisdiction.

Who needs a GDPR representative?

In general:

  • an organisation will need an EU representative if it is regulated by the EU GDPR, but isn’t “established” in the EEA; and
  • an organisation will need a UK representative if it is regulated by the UK GDPR, but isn’t “established” in the UK.

Some organisations will be regulated by both the EU GDPR and the UK GDPR, and won’t be established in either the EEA or the UK. These organisations may require an EU representative and a UK representative.

There are very limited exceptions, for organisations which:

  • are public bodies; or
  • only carry out occasional, low-risk processing of data subjects’ personal data, and don’t handle special category data.

The exceptions are unlikely to apply to most commercial organisations. But if you think that they might apply to you, we recommend independent legal advice.

What is a GDPR representative?

A GDPR representative is an organisation based within the EEA or UK jurisdictions that acts on behalf of clients based outside those jurisdictions.

Since the UK left the European Union, there are two kinds of GDPR representative:

  • an “EU representative” is an organisation based within the EEA that acts for clients outside the EEA who are required to appoint a representative under the terms of the EU GDPR.
  • a “UK representative” is an organisation based in the UK that acts for clients outside the UK who are required to appoint a representative under the terms of the UK GDPR.

GDPR representatives are also sometimes called “Article 27 representatives”, since Article 27 of the EU GDPR and Article 27 of the UK GDPR describe when they’re required.

What does a GDPR representative do?

A GDPR representative has three main tasks:

1. Communicating with data subjects and regulators about clients’ data protection compliance.

As representative for our clients, we communicate with data subjects about what our clients do with their personal data.

We also communicate with supervisory authorities who enforce data protection laws in the EU and UK, on behalf of our clients.

2. Maintaining records of clients’ processing of personal data, and sharing records with supervisory authorities when they ask, as required by Article 30 of the EU GDPR and UK GDPR.

3. Responding to enforcement proceedings when clients fail to comply with data protection laws.

Currently there is legal uncertainty as to whether a GDPR representative can be held liable for its clients’ breaches of data protection laws. But it’s likely that there will be attempts in the future to bring enforcement proceedings against representatives for their clients’ breaches. Representatives will need to respond to those proceedings.

02. About the GDPR

What does "processing" mean?

“Processing” personal data means doing anything with it – including saving it on a computer. It means much the same as “dealing with” or “handling” personal data.

What is personal data?

Personal data is information about an individual who is identified by the information, or who might plausibly be identified using available methods.

What is the UK GDPR?

The UK GDPR is the UK’s principal data protection legislation, entering into force after the end of the Brexit “transition period” on 31 December 2020.

The UK GDPR is derived from and very similar to the EU GDPR.

What is the EU GDPR?

The EU GDPR is the EU's General Data Protection Regulation.

The EU GDPR contains a series of detailed rules about the processing of personal data. You can read the text here.

What is the EEA?

The EEA is the European Economic Area. It is made up of the EU Member States, plus Norway, Liechtenstein and Iceland.

Currently, the countries which are included in the EEA are the following: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.

The UK was previously part of the EU and EEA, ending (for legal purposes) on 31 December 2020.

What is a supervisory authority?

Supervisory authorities are data protection regulators.

In the UK, the data protection regulator is the Information Commissioner.

What are data protection rights?

The EU GDPR and the UK GDPR grant data subjects a number of rights, which we call data protection rights.

Those rights let data subjects influence what data controllers do with their personal data. They include rights:

- to be informed about processing

- to receive copies of personal data

- to withdraw consent

- to object to some forms of processing

- to request deletion of personal data in some circumstances

- to complain to a supervisory authority

What are data controllers and data processors?

In general, a data controller is a person or organisation which processes personal data in a way it decides for itself. In other words, a data controller determines the purposes and means of its processing.

A data processor is a person or organisation which carries out processing of personal data for a data controller.

What is a data subject?

A data subject is an individual (a natural person) who is the subject of personal data - in other words, the person that personal data is about.

To put it differently: personal data is information about a data subject.

Copyright 2020 DataAgent (EU) Ltd
Website by Just Wye