If you are an organisation outside of the EU with any operation inside of the EU (staff, clients, customers) you are obliged to appointing an EU Data Protection Representative under GDPR. For many the most practical approach is to outsource their EU representation function.
Obligations in law
Organisations based outside of the European Economic Area EEU who process data in the EEA must to appoint a Data Protection Representative (DPR). Obtaining customer data in the EU is processing. Where processing is occasional and is unlikely to result in a risk to the rights and freedoms of a Subject the organisation is exempt e.g. The once off delivery of goods to the EU.
The formal appointment of a representative provides a focal point for data protection related interaction with the firm and acts as an informed go-between with Subjects and the regulatory authorities.
The DPR may be an individual or a legal entity and shall be ‘the Subject of enforcement proceedings in the event of non-compliance by the Controller’. This does not reduce the accountability of the Controller. In the event of failure to meet obligations in line with GDPR the Controller will be liable to fines and enforcements.
The role of a Data Protection Representative
Responsibilities fall into two categories:
Formal responsibilities in law;
To be your formal representative on all matters relating to data protection in the EU, and your point of contact with EU regulators and Subjects
Maintain a ‘record of processing activities’ as described in Article 30 of the GDPR
Be named on your ‘record of processing activities’, your data protection/privacy notice and any notice provided to subjects at the time of obtaining their personal data.
Provide guidance relating to Data Protection
It is also advisable to consider other elements of your strategy with your representative to keep the organisation form harm. They include;
Strategic advice on the structure of control over personal data in the EU (where necessary)
Review and oversight of related policy and process documentation
Data Protection review of customer, staff and supplier contracts
Staff training (to avoid unintentional misuse of personal data)
International firms with an fixed operation in the EU
For organisations with a number of fixed locations in the EU the determination of the ‘main establishment’ will identify a lead supervisory authority in a particular country. This enables a one-stop-shop arrangement for matters relating to data protection in the EU i.e all matters managed through a single regulatory authority. Organisations must have a registered company in the EU to avail of this status.
This may be attractive to a company that wants to be regulated in an English speaking state where the regulator is considered reasonable. Ireland falls into this category and this may have contributed to Microsoft, Apple, Google, Facebook, Linkedin, e-bay and others establishing their European operations there.
This arrangement is however not a black and white situations and other EU states may lead in particular circumstances. Additionally, where categories of personal data are also controlled by a parent company or by other connected companies outside of the EU, additional considerations will have to be taken into account.
The top 3 practical considerations while assessing a strategy;
The reality on the ground; where is the ‘means and purpose’ of processing controlled from?
The jurisdiction if any within the EU in which the organisation has it’s main activity and the significance of a having a registered company in the EU.
Taxation; should an organisation be identified as a controller in a particular jurisdiction, this will need to be consistent with similar positions relating to control in the context of corporate and other taxation.
Careful consideration should be taken to best position the controller to defend actions in the most beneficial way and it is advisable to take advice in the context of your particular processing activity in the EU.
Outsourcing a Data Protection Officer DPO or Services
The when, what and how to outsource for data protection. Full article here
Identifying the right External Support
Top four tips to find the right person and an overview of the commonly available data protection qualifications. Please see here
Getting professional support
First Compliance offer advisory, DPO, EU Representative, and other data protection services to assist companies to operate in a lawful manner in the EU. If you could benefit from assistance please feel free to call us for a confidential consultation.