Article 27 European Representative Service
Most people will be aware that Data Protection regulations changed within Europe on the 25th May 2018 with the implementation of the General Data Protection Regulation (GDPR).
Whilst the GDPR is a European regulation, many organisations outside of Europe will be unaware that they are, under certain conditions, required to appoint a European Representative.
The requirement to appoint a European Representative is not new. Some organisations outside of the EU were supposed to be subject to a similar requirement already prior to 25th May 2018.
However, very few companies outside of the EU have appointed representatives under Article 4 of Directive 95/46/EC, which has provided since 1995 that a “controller must designate a representative established in the territory of [a] Member State” where such controller “makes use of equipment, automated or otherwise, situated on the territory of the said Member State …”
Article 3(2) and Article 27 of the GDPR expand the requirements to processors and removes the limiting condition of local equipment.
Does the GDPR apply to my Organisation?
- YES
- NO
Does your organisation have any other form of establishment in Europe?
- YES
- NO
- YES
- NO
Does your organisation monitor the behaviour of citizens located in Europe?
- YES
- NO
If you answer YES to any of these questions it is likely that your organisation will be required to comply with the GDPR
If you fail to appoint a European Representative you risk being fined € 10 million or 2% of global turnover.
Helping you navigate GDPR
01.
ASSIGN
03.
INCIDENTS
XpertDPO will forward on all Subject Access Requests.
02.
NOTIFY
XpertDPO will register with the relevant Statutory Authority and act as the main point of contact.
04.
REPORTS
Annual management reports detailing queries and incidents raised plus any other relevant data protection issues.
How can XpertDPO help?
XpertDPO will act as your European Representative to ensure your compliance with the GDPR.
- Notification to Statutory Authority
- Initial Review of Art. 30 RoPA
- Ongoing RoPA Compliance Monitoring
- Unlimited SARs
- Annual Compliance Report
- UK Representation
- Unlimited Number of RoPA Amendments
- Main Point of Contact for all European Data Subjects
- Main Point of Contact for all European Statutory Authorities
Personally Identifiable Information (PII) is the American term and the term personal information is meant to be the EU equivalent of PII. Nonetheless, they do not correspond with each other exactly. All PII can be personal data but not all personal data is considered as PII.
Article 4 of the GDPR states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
PII has a limited scope of data which includes: name, address, birth date, Social Security numbers and banking information. Whereas, personal information in the context of the GDPR also references data such as: photographs, social media posts, preferences and location as personal.
Many US organisations may not be aware that Personal Information has a much broader scope than PII and therefore, may be unaware that they need to comply with the GDPR and thus are required to appoint a Nominated European Representative.
XpertDPO will work closely with your organisation and staff to provide extensive training so that you are fully aware of your obligations and responsibilities under the GDPR.
The GDPR applies to Data Controllers AND Data Processors that process personal data of individuals in the EU (NOT JUST EU CITIZENS!!!), regardless of where the organisation is established in the world. Remember, Personal Data under the GDPR has a much wider scope than PII as used in the United States!!
Those organisations that are not established inside the EU are required to appoint a representative who is established in the EU for purposes of GDPR compliance.
A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to mitigate these risks as far and as early as possible.
Article 27 of the GDPR states that a Controller or Processor who is not established in the EU and offers goods or services to data subjects in the EU or monitors the behaviour of Data Subjects occurring within the EU must appoint, in writing, a representative within the EU.
The key to determining your organisation’s main establishment if you are a data controller, is to identify which of your organisation’s establishments has the power to take decisions on the purposes and means of your processing of personal data. This may be your place of central administration in the EU, but if your organisation takes these decisions at another establishment and that establishment has the power to have the decisions implemented, then the other establishment will be your main establishment.
If you are a data processor, your main establishment will be the location of your central administration in the EU unless your organisation does not have any central administration in the EU. If this is the case, the location where your organisation’s main processing activities take place will be your main establishment. If your organisation is a joint controller with one or more other organisations, you should identify which establishment of the joint controllers has the power to take and implement decisions on the purposes and means of processing. That establishment will be the main establishment of the joint controllership.
If your organisation is part of a group of undertakings, the main establishment for the group will be the establishment where the entity that controls the group takes decisions on the purposes and means of the group’s processing. If your organisation is engaged in a number of separate cross-border processing activities, it is possible that you will have more than one main establishment. You should not assume that all of your organisation’s cross-border processing activities will share the same main establishment.
This will be the case where decisions on the purposes and means of one processing activity are taken in the context of one establishment, while the decisions for a separate processing activity undertaken by the same organisation are taken in the context of a separate establishment.
It is important to note that a controller that DOES NOT have an establishment in the EU CANNOT avail of the One Stop Shop mechanism (OSS) and therefore must deal with local supervisory authorities in EVERY member state they are active in, through their Nominated European Representative.
The role of a European representative under Article 27 of the GDPR
The Nominated European Representative acts as a guardian or gatekeeper for your organisation. If you are based in the United States, think of the role being similar to the Delaware Agent many US organisations are required to keep.
The Nominated European Representative must be identified in the privacy notices of the non-EU based company pursuant to Article 13(1)(a) and 14(1)(a) and can be addressed in addition to or instead of the non-EU based company, in particular, with respect to communications with supervisory authorities and data subjects, on all issues related to data processing, for the purposes of ensuring compliance with the GDPR, pursuant to Article 27(4).
The Nominated European Representative represents the non-EU based company with respect to obligations under the GDPR, pursuant to Article 4(17).
In terms of active duties, the Nominated European Representative shall maintain records of processing activities for the non-EU based company (which is the one that has to prepare and provide such records, pursuant to Article 30). And, the Nominated European Representative shall co-operate with the supervisory authority pursuant to Article 31 on request.
European Representative Vs Data Protection Officer
A Nominated European Representative under Article 27 and a Data Protection Officer under Article 37 have quite different roles, tasks, functions and duties: A Data Protection Officer functions as the long arm of a data protection authority within an organisation and is intended to foster a compliance culture.
The Nominated European Representative acts more like a local representative. Organisations without an establishment in the EU are required under Article 27 to designate a representative in the EU so data protection authorities can reach and sanction them when required. The Nominated European Representative keeps records of processing activities and is available to receive inquiries and complaints.
As your Nominated European Representative, XpertDPO will be the contact person for your Data Subjects (Customers) in all European member states.
Your Nominated European Representative will be legally appointed to represent you as the Data Controller when dealing with Data Protection Authorities in the EU.
We will assist you in establishing and maintaining Article 30 Records of Processing. If requested, we will provide these records to Data Protection Authorities.
Data Protection journey with us?
XpertDPO is a data security, governance, risk and compliance, GDPR and ISO consultancy that offers practical, tailor-made solutions.
XpertDPO is a data security, governance, risk and compliance, GDPR and ISO consultancy that offers practical, tailor-made solutions.
We are one of the leading providers of Outsourced Data Protection Officer services in Ireland and the UK. We also specialise in offering Nominated European Representative Services to non EU based organisations.
- Certified Data Protection Officer
- Certified Information Security Manager (ISACA)
- Certified Information Systems Auditor (ISACA)
- Certified in Risk and Information Systems Control (ISACA)
- Certified Cloud Security Professional (ISC2)
- Certificate of Cloud Security Knowledge
- Cyber Essentials