A recent Dutch decision highlights the importance of appointing a GDPR representative for non-EEA companies under the GDPR
What is a GDPR representative?
Non-EEA companies that sell goods or services to EEA residents or monitor the behaviour of EEA residents must appoint an EEA-based representative per Article 27 of the GDPR (subject to limited exceptions). The representative acts as the point of contact between EEA individuals and/or local data protection authorities and the relevant controller or processor based outside the EEA. The representatives specific obligations under the GDPR are to maintain a copy of the Article 30 record of processing activities (sometimes called a ROPA), provide information to local data protection authorities on request and do anything else set out in the written agreement it has with the controller or processor.
Is a GDPR representative liable for breaches by controllers and processors?
No. When the GDPR first became effective in 2018 there was a concern that representatives could be held liable for breaches by the controller or processor. However, now it is understood that representatives are only liable for their direct GDPR obligations, i.e. to maintain the ROPA and to provide information to data protection authorities on request.
What was the basis of the Dutch investigation?
LocateFamily.com is a website that allows people to search for and connect with family members and others using name, address and date of birth. The Dutch data protection authority (known as the “AP”) received several complaints from EEA residents that their personal data was included on LocateFamily’s website without their consent, and that their requests to have this personal data removed from the website were not met by the company. The AP launched an international investigation in co-operation with nine other European data protection authorities and the Canadian data protection authority into the company and its data processing practices.
Did the processing activities come within the scope of the GPDR?
Yes. In response to AP’s investigation, LocateFamily argued that the company was not located in the EEA, did not have an office or representative within the EEA, did not have any business relationships within the EEA and did not offer goods or services to any EEA residents. However, the AP disagreed and found that the GDPR applied to the processing of EEA resident data by the company, as it offered a service to EEA residents when it assisted them in connecting with other individuals. These services were targeted at EEA residents and were offered in several EEA countries (for example, data of 700,000 Dutch residents was available on the site). Therefore this processing was within scope of Article 3(2)(a) of the GDPR.
Was a GDPR representative required?
Yes. Under Article 27 of the GDPR, LocateFamily was required to appoint a GDPR representative since it was a non-EEA controller or processor offering services to EEA residents.
What was the outcome of the AP investigation?
The investigation by the AP found that LocateFamily:
- did not have a branch or representative in the Netherlands or any other EEA Member State;
- did not provide a privacy contact or branch/representative address within the EEA on its website; and
- did not fall within the exceptions for having a GDPR representative under Article 27 as the company was not a public authority and the company could not avail of the “occasional processing” exemption due to the regular processing of personal data on the company’s website.
Therefore, the AP imposed a €525,000 fine on LocateFamily for its failure to appoint a GDPR representative in violation of Article 27 of the GDPR. In addition to the substantial fine, the AP also required that the company pay an extra €20,000 for each two-week period it failed to appoint a GDPR representative, up to a maximum additional fine of €120,000.
Are there any other requirements to have an EEA or UK representative?
Yes. A similar requirement is included in the UK GDPR, meaning that companies established outside of the UK, which sell good or services to UK residents and/or monitor the behaviour of UK residents, must appoint a UK-based representative. It is also worth noting that the draft e-Privacy Regulation also contains a representative requirement. The draft e-Privacy Regulation (if adopted in its current form) would apply to the provision of electronic communication services, the processing of electronic communications content and metadata, and the protection of devices of end-users who are in the EEA. If a non-EEA entity fell within scope of the draft e-Privacy Regulation (as currently proposed) it would be obliged to appoint an EEA-based representative for the purpose of the draft e-Privacy Regulation.
What options are there for a GDPR representative?
There are various options regarding the appointment of a GDPR representative. It may be possible to appoint an existing EEA partner company or service provider as your organisation’s representative. It will be important to put in place a written agreement clearly setting out the representative’s obligations and to apportion any potential liability between the parties.
Alternatively, if your organisation has commercial or tax-driven reasons to expand EEA operations it may make sense to incorporate a new company to act as your organisation’s GDPR representative.