knowledge | 12 December 2019 |
Five key elements of the role of a GDPR Representative
In its recently adopted Guidelines on the Territorial Scope of the GDPR, among other things the EDPB confirmed its views on key elements of the role of a GDPR Representative.
These Guidelines, which were adopted on 12 November 2019, state the following in relation to a GDPR Representative (who may be required to be appointed by organisations that are subject to the GDPR but are not ‘established’ in the EU):
- A GDPR Representative’s liability is limited to its specific obligations;
- The role of a GDPR Representative is not compatible with the role of a Data Protection Officer (“DPO”);
- The responsibilities and compliance obligations of a GDPR Representative and processor are not compatible;
- It is not mandatory for a GDPR Representative to be able to communicate in the language(s) used by its supervisory authority or data subjects; and
- A single GDPR Representative can cover several processing activities falling within the scope of the GDPR.
1. Limited liability
According to the EDPB a GDPR Representative is not liable in place of the organisation that it represents for that organisation’s non-compliance with the GDPR. Instead, a representative’s liability is limited to its direct obligations to (i) maintain a record of processing activities on behalf of the organisation it represents and to produce it on request to a supervisory authority (Article 30), and (ii) to provide information to a supervisory authority in the context of an investigation (Article 58(1)). While one of the main functions of the GDPR Representative concept is to enable supervisory authorities to initiate enforcement proceedings against organisations not established in the EU and to impose corrective measures or administrative fines on them via their appointed representatives in the EU, those representatives will not be held directly liable for the obligations of such organisations.
2. Data Protection Officer
A GDPR Representative should not act as the DPO of a non-EEA controller or processor. According to the EDPB the role of a GDPR Representative and DPO are not compatible as the representative is mandated by the non-EEA controller or processor to act under its direct instruction, whereas a DPO is required to be independent and autonomous in their role.
3. GDPR Representative as a processor
A GDPR Representative for a non-EEA controller should not also be that controller’s processor. According to the EDPB this is due to the possible conflict of obligation and interests between the two roles, particularly in the case of enforcement proceedings. Additional issues arise in terms of each role’s different compliance obligations.
When a GDPR Representative communicates with a supervisory authority or data subjects it must be able to do so effectively and should in principle communicate in the language used by the supervisory authority and/or data subjects. If this would be disproportionate, however, then the GDPR Representative may use other means and techniques to ensure effective communication.
5. Number of GDPR Representatives
Where a controller or processor not established in the EU carries out several processing activities which make it subject to the GDPR (pursuant to Article 3(2) of the GDPR), that controller or processor may designate a single GDPR Representative for all of the processing activities falling within the scope of the GDPR.
The Guidelines also provided clarification on the EDPB’s interpretation of the two exceptions to the obligation to appoint a GDPR Representative set out in Article 27(2) of the GDPR. One of the elements of the first exception is that the processing is “occasional.” The EDPB has clarified that “occasional” means the processing of an activity which is not carried out on a regular basis and occurs outside the regular course of business or activity of the controller or processor. In relation to the second exception covering a public authority or body, the EDPB notes that these terms are not defined in the GDPR and states that in the rare circumstances where a non-EU public authority or body is subject to the GDPR under Article 3(2), an assessment must be made by supervisory authorities in concreto and on a case by case basis as to whether they are exempt from the obligation to appoint a GDPR Representative.
Also contributed by Catherine Walsh
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.