#AtoZofGDPR - H is for Have you appointed your EU Representative yet?
Most people will be aware that Data Protection regulations changed within Europe on the 25th May 2018 with the implementation of the General Data Protection Regulation (GDPR).
Whilst the GDPR is a European regulation, many organisations outside of Europe will be unaware that they are required to appoint a Nominated European Representative under certain conditions (we will discuss these conditions later in this document) as per Article 27 of the GDPR.
Furthermore, the requirement to appoint a European Representative is not new.
Some companies outside of the EU were supposed to be subject to a similar requirement already prior to 25th May 2018. However, very few companies outside of the EU have appointed representatives under Article 4 of Directive 95/46/EC, which has provided since 1995 that a "controller must designate a representative established in the territory of [a] Member State" where such controller "makes use of equipment, automated or otherwise, situated on the territory of the said Member State ..." Article 3(2) and Article 27 of the GDPR expand the requirements to processors and removes the limiting condition of local equipment.
Personal Information vs PII
Personally Identifiable Information (PII) is the American term and the term personal information is meant to be the EU equivalent of PII. Nonetheless, they do not correspond with each other exactly. All PII can be personal data but not all personal data is considered as PII.
Article 4 of the GDPR states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
PII has a limited scope of data which includes: name, address, birth date, Social Security numbers and banking information. Whereas, personal information in the context of the GDPR also references data such as: photographs, social media posts, preferences and location as personal.
Many US organisations may not be aware that Personal Information has a much broader scope than PII and therefore, may be unaware that they need to comply with the GDPR and thus are required to appoint a Nominated European Representative.
So, when should an Organisation appoint a Nominated European Representative?
The GDPR applies to Data Controllers AND Data Processors that process personal data of individuals in the EU (NOT JUST EU CITIZENS!!!), regardless of where the organisation is established in the world. Remember, Personal Data under the GDPR has a much wider scope than PII as used in the United States!!
Those organisations that are not established inside the EU are required to appoint a representative who is established in the EU for purposes of GDPR compliance.
A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to mitigate these risks as far and as early as possible.
Article 27 of the GDPR states that a Controller or Processor who is not established in the EU and offers goods or services to data subjects in the EU or monitors the behaviour of Data Subjects occurring within the EU must appoint, in writing, a representative within the EU.
Does the GDPR Apply to my Organisation?
If you answer yes to any of the questions in the infographic opposite then you will likely be required to appoint a European Representative.
What is establishment and how do I determine establishment?
The key to determining your organisation’s main establishment if you are a data controller, is to identify which of your organisation’s establishments has the power to take decisions on the purposes and means of your processing of personal data. This may be your place of central administration in the EU, but if your organisation takes these decisions at another establishment and that establishment has the power to have the decisions implemented, then the other establishment will be your main establishment.
If you are a data processor, your main establishment will be the location of your central administration in the EU unless your organisation does not have any central administration in the EU. If this is the case, the location where your organisation’s main processing activities take place will be your main establishment.
If your organisation is a joint controller with one or more other organisations, you should identify which establishment of the joint controllers has the power to take and implement decisions on the purposes and means of processing. That establishment will be the main establishment of the joint controllership.
If your organisation is part of a group of undertakings, the main establishment for the group will be the establishment where the entity that controls the group takes decisions on the purposes and means of the group’s processing.
If your organisation is engaged in a number of separate cross-border processing activities, it is possible that you will have more than one main establishment. You should not assume that all of your organisation’s cross-border processing activities will share the same main establishment.
This will be the case where decisions on the purposes and means of one processing activity are taken in the context of one establishment, while the decisions for a separate processing activity undertaken by the same organisation are taken in the context of a separate establishment.
It is important to note that a controller that DOES NOT have an establishment in the EU CANNOT avail of the One Stop Shop mechanism (OSS) and therefore must deal with local supervisory authorities in EVERY member state they are active in, through their Nominated European Representative.
The Role of a Nominated European Representative under Article 27 of the GDPR
The Nominated European Representative acts as a guardian or gatekeeper for your organisation.
The Nominated European Representative must be identified in the privacy notices of the non-EU based company pursuant to Article 13(1)(a) and 14(1)(a) and can be addressed in addition to or instead of the non-EU based company, in particular, with respect to communications with supervisory authorities and data subjects, on all issues related to data processing, for the purposes of ensuring compliance with the GDPR, pursuant to Article 27(4).
The Nominated European Representative represents the non-EU based company with respect to obligations under the GDPR, pursuant to Article 4(17). If your organisation is based in the United States, think of the role being similar to the Delaware Agent many US organisations are required to keep.
In terms of active duties, the Nominated European Representative shall maintain records of processing activities for the non-EU based company (which is the one that has to prepare and provide such records, pursuant to Article 30). And, the Nominated European Representative shall co-operate with the supervisory authority pursuant to Article 31 on request.
A Nominated European Representative under Article 27 and a Data Protection Officer under Article 37 have quite different roles, tasks, functions and duties:
A Data Protection Officer functions as the long arm of a data protection authority within an organisation and is intended to foster a compliance culture.
The Nominated European Representative acts more like a local representative. Organisations without an establishment in the EU are required under Article 27 to designate a representative in the EU so data protection authorities can reach and sanction them when required. The Nominated European Representative keeps records of processing activities and is available to receive inquiries and complaints.