Nominated European Representative Service

Provide your customers with industry leading EU Representation with the help of XpertDPO.

Most people will be aware that Data Protection regulations changed within Europe on the 25th May 2018 with the implementation of the General Data Protection Regulation (GDPR).

Whilst the GDPR is a European regulation, many organisations outside of Europe will be unaware that they are required to appoint a Nominated European Representative under certain conditions (we will discuss these conditions below).

Furthermore, the requirement to appoint a European Representative is not new.

Some organisations outside of the EU were supposed to be subject to a similar requirement already prior to 25th May 2018. However, very few organisations outside of the EU have appointed representatives under Article 4 of Directive 95/46/EC, which has provided since 1995 that a "controller must designate a representative established in the territory of [a] Member State" where such controller "makes use of equipment, automated or otherwise, situated on the territory of the said Member State ..." Article 3(2) and Article 27 of the GDPR expand the requirements to processors and removes the limiting condition of local equipment.

The information below is intended to guide organisations outside of the European Union in relation to appointing a Nominated European Representative.

Personally Identifiable Information (PII) is the American term and the term personal information is meant to be the EU equivalent of PII. Nonetheless, they do not correspond with each other exactly. All PII can be personal data but not all personal data is considered as PII.

Article 4 of the GDPR states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

PII has a limited scope of data which includes: name, address, birth date, Social Security numbers and banking information. Whereas, personal information in the context of the GDPR also references data such as: photographs, social media posts, preferences and location as personal.

Many US organisations may not be aware that Personal Information has a much broader scope than PII and therefore, may be unaware that they need to comply with the GDPR and thus are required to appoint a Nominated European Representative.

XpertDPO will work closely with your organisation and staff to provide extensive training so that you are fully aware of your obligations and responsibilities under the GDPR.

The GDPR applies to Data Controllers AND Data Processors that process personal data of individuals in the EU (NOT JUST EU CITIZENS!!!), regardless of where the organisation is established in the world. Remember, Personal Data under the GDPR has a much wider scope than PII as used in the United States!!

Those organisations that are not established inside the EU are required to appoint a representative who is established in the EU for purposes of GDPR compliance.

A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to mitigate these risks as far and as early as possible.

Article 27 of the GDPR states that a Controller or Processor who is not established in the EU and offers goods or services to data subjects in the EU or monitors the behaviour of Data Subjects occurring within the EU must appoint, in writing, a representative within the EU.

If you answer yes to any of the questions in the infographic below then you will likely be required to appoint a European Representative.

The key to determining your organisation’s main establishment if you are a data controller, is to identify which of your organisation’s establishments has the power to take decisions on the purposes and means of your processing of personal data. This may be your place of central administration in the EU, but if your organisation takes these decisions at another establishment and that establishment has the power to have the decisions implemented, then the other establishment will be your main establishment.

If you are a data processor, your main establishment will be the location of your central administration in the EU unless your organisation does not have any central administration in the EU. If this is the case, the location where your organisation’s main processing activities take place will be your main establishment.

If your organisation is a joint controller with one or more other organisations, you should identify which establishment of the joint controllers has the power to take and implement decisions on the purposes and means of processing. That establishment will be the main establishment of the joint controllership.

If your organisation is part of a group of undertakings, the main establishment for the group will be the establishment where the entity that controls the group takes decisions on the purposes and means of the group’s processing.

If your organisation is engaged in a number of separate cross-border processing activities, it is possible that you will have more than one main establishment. You should not assume that all of your organisation’s cross-border processing activities will share the same main establishment.

This will be the case where decisions on the purposes and means of one processing activity are taken in the context of one establishment, while the decisions for a separate processing activity undertaken by the same organisation are taken in the context of a separate establishment.

It is important to note that a controller that DOES NOT have an establishment in the EU CANNOT avail of the One Stop Shop mechanism (OSS) and therefore must deal with local supervisory authorities in EVERY member state they are active in, through their Nominated European Representative.

The Nominated European Representative acts as a guardian or gatekeeper for your organisation. If you are based in the United States, think of the role being similar to the Delaware Agent many US organisations are required to keep.

The Nominated European Representative must be identified in the privacy notices of the non-EU based company pursuant to Article 13(1)(a) and 14(1)(a) and can be addressed in addition to or instead of the non-EU based company, in particular, with respect to communications with supervisory authorities and data subjects, on all issues related to data processing, for the purposes of ensuring compliance with the GDPR, pursuant to Article 27(4).

The Nominated European Representative represents the non-EU based company with respect to obligations under the GDPR, pursuant to Article 4(17).

In terms of active duties, the Nominated European Representative shall maintain records of processing activities for the non-EU based company (which is the one that has to prepare and provide such records, pursuant to Article 30). And, the Nominated European Representative shall co-operate with the supervisory authority pursuant to Article 31 on request.

We don’t collect any "sensitive data" about you (like racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health data, data about your sexual life or orientation, and offences or alleged offences) except when we have your specific consent, or when we have to to comply with the law.

A Nominated European Representative under Article 27 and a Data Protection Officer under Article 37 have quite different roles, tasks, functions and duties: A Data Protection Officer functions as the long arm of a data protection authority within an organisation and is intended to foster a compliance culture.

The Nominated European Representative acts more like a local representative. Organisations without an establishment in the EU are required under Article 27 to designate a representative in the EU so data protection authorities can reach and sanction them when required. The Nominated European Representative keeps records of processing activities and is available to receive inquiries and complaints.

As your Nominated European Representative, XpertDPO will be the contact person for your Data Subjects (Customers) in all European member states.

Your Nominated European Representative will be legally appointed to represent you as the Data Controller when dealing with Data Protection Authorities in the EU.

We will assist you in establishing and maintaining Article 30 Records of Processing. If requested, we will provide these records to Data Protection Authorities.

Brexit Proof: XpertDPO is located within Ireland, therefore we will be the only English speaking member state once the UK leave the union.

Experience: Our consultants and legal team have many years of Data Protection experience.

International Service: We have the capability to speak all European Languages and our consultants are experts in the Data Protection Laws of many European member states.

XpertDPO can act as your Nominated European Representative AND your Data Protection Officer, thereby keeping all of your Data Protection requirements with one expert organisation.

From the first point of contact, XpertDPO will make make life easier for your customers. We have an automated Subject Access Request Management System that will handle the whole process. As soon as we receive the SAR from your customer, or a request for information from an EU Data Protection Authority we will send out an automated acknowledgement. When we notify our clients that we have received a request, we will always provide detailed advice on what actions you should be taking to respond to that request effectively.

We will work with your organisation to formulate your Article 3o Records of Processing. These are a vital requirement under the GDPR. If these records are incorrect, or are not a true reflection of your processing activities then XpertDPO are liable for fines and sanctions under the GDPR. This is why it is important that importance is placed on this aspect of the service.

Your customers in the EEA are permitted to contact you in their native language we will provide cintact details for them in each of those languages and we can provide translation services for the communications we receive to your preferred language.