GDPR Guidelines – What the EDPB clarification means for Non-EU businesses
David Fagan, founder of EU Rep looks at the recent clarification to guidelines around EU Representatives.
As you know, our product is an “EU Representative”. The EU has recently changed its guidelines clarifying when non—EU businesses MUST appoint an EU Representative.
In short almost every non—EU business who sells to, or provides services to individuals in the EU, or who target such individuals by for example behavioural advertising, will be obliged to appoint an EU Representative.
The European Data Protection Board (EDPB) recently (16 November 2019) adopted revised wording of their guidance document on the territorial scope of GDPR – guidelines document 03/2018. These Guidelines included clarifications around the appointment and role of the EU Data Protection Representative under Article 27 of the GDPR. It also makes clear that the Representative’s liability is limited to keeping article 30 records and providing any information sought by a Supervisory Authority.
The key take-away points are as follows:
- Controllers/processors outside the EU which undertake more than one processing activity do not need to appoint a separate Representative in respect of each processing activity.
- An EU-based processor should not be appointed the EU Representative of a non-EU company for which it is processing datadue to the potential conflict of interests between those roles (similar to the already-included stipulation that the same company should not be appointed as DPO and Representative for the same data controller/processor).
The very limited “Occasional” exemption from appointing a Representative (Article 27(2)(a) should be interpreted in a very restrictive manner and that “occasional” should be interpreted in line with previous guidance from the Article 29 Working Party, adopted by the EDPB, around exemptions from the obligation to prepare records of processing in line with Article 30 (“ … a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor”). That even if occasional, such processing must not be large-scale (which include not only numbers of data subjects, but volume of data processed, and the geographical extent and duration of the processing with regard to either the absolute numbers or as a proportion of the relevant population affected.In addition, the processing must be “unlikely to result in a risk to the rights and freedoms of natural persons” and that when assessing this element “considerations should be given to both the likelihood and severity of the risk”;
- For the public authority exemption (Article 27(2)(b)): whether an entity is considered to fall into this category will depend on how this is defined by the relevant national law and will be assessed by the relevant data protection authority on a case-by-case.
- Article 30 records of processing:
That the controller/processor is responsible for the “primary content” of the records of processing (previously it could be argued that this responsibility was shared between the controller/processor and their Representative) and must provide their Representative with the updated records;
It is the Representative’s responsibility to provide the records when requested by an EU data protection authority (Article 27(4));
- When communicating with a data subject, the Representative should do so in the language of the data subject/data protection authority involved unless this requires a disproportionate effort.
- There is no “substitutive liability of the representative in place of the controller.
The Guidelines will continue to be viewed as “best practice” rather than legally-binding expectations and there is no doubt that the issues around the obligation and the duties and the liability of the Representative will be discussed and further clarified further in due course.
David Fagan is a widely respected lawyer specialising in data protection and founder of EU Rep