Q&A with David Fagan and Gail Chalmin, founders of EU Rep
David Fagan, is a solicitor and commercial lawyer who has been working with companies for over 20 years, helping them manage their legal requirements on data privacy. Gail Chalmin is a commercial and data protection consultant with over 21 years experience helping companies with data compliance, data protection policies and contracts.
Together they have founded EU Rep, an exciting Irish start-up which helps non-EU companies comply with GDPR. We took time out of their busy schedule to ask them about the new service and how companies can use it to ensure they are complying with GDPR.
What inspired you to come up with the idea for EU Rep?
David: In the course of my work I have come across many business leaders, sometimes running small to medium companies where data protection is highly important, and who want to comply, but also who want a cost-effective solution, and that’s where EU Rep was born – we act as the EU representative for you for less than the cost of a monthly gym membership. The reality is that GDPR is a legal provision, but achieving compliance to the intervention of lawyers is normally very expensive, and not always cost – effective. EU Rep is the first solution to market that combines the experience and skills of senior privacy lawyers, with the commodification approach that IT can bring to sectors.
Can you explain in simple terms why GDPR affects companies that aren’t even based in the EU?
David: Article 27 of the GDPR applies the GDPR to organisations not established in the EU if they process personal data related to the offering of goods or services, whether for profit or not, to individuals in the EU, or the monitoring of behaviour of individuals in the EU.
So if you are a company in the US, with an innovative App or software, and that App or software is purchasable by individuals in the EU, then in the purchase process, you may be collecting personal data from individuals. Even if your purchase process does not involve the collection of personal data by you (because it is done by a third party such as PayPal) you are still likely to be getting some personal data via a registration process, or possibly via the use of the software itself. In such circumstances, you will be obliged to appoint an EU Representative.
If you are a Korean manufacturer of automotive products, and you ship these products to individuals in the EU, then you will be using personal data to do so, such as a name, address, and possibly payment details. Again, if you are processing the personal data of individuals in the EU, even though you are established outside of the EU, then you will be required to appoint an EU Representative.
If you are an innovative online marketer, based in Australia, and your business model involves behavioural analysis of individuals in the EU, in order to appropriately target advertisements, special offers, tailored branding and content, and even though you are established outside of the EU, you will be required to appoint an EU Representative.
Are there any exceptions to Art 27?
Gail: Article 27.2 excludes processing which is occasional, and which does not include a large-scale of special category personal data, or personal data relating to criminal convictions and offences, provided that it is not likely that there are risks to individuals in the EU. This is quite a limited exemption. Essentially it is volume based, and sensitivity based. If it is in any way frequent, Article 27 will apply. If it is very infrequent, but a large scale of personal data is involved, then Article 27 will apply. If it is very infrequent, does not involve a large scale of personal data, but that personal data is sensitive, then Article 27 will apply.
In the main, it will be safer for any organisations who do process personal data of individuals in the EU or monitor behaviour of individuals in the EU to appoint an EU Representative.
Are there any penalties if companies don’t comply?
Gail: There are Administrative Fines of up to €10 million, or 2% of a company’s global turnover, whichever is the greater; there is the possibility of civil litigation against the company; there is the possibility of other fines for other breaches of the GDPR, and criminal prosecutions, including of managers, directors, or other officers of the company, including the possibility of terms of imprisonment being imposed; and most importantly of all there is the risk of damage to a company’s reputation
But is also the case that the non—appointment of an EU Representative is one of the most visible means of broadcasting your non-compliance to the world, including competitors, unhappy customers, regulators, and privacy activists.
How does EU Rep work?
David: We have tried to make the process as simple as possible – you pay a one-off joining fee of €99 and then a monthly fee of €19. You sign up online and the appointment is made, simply, cost – effectively, and compliantly.
You are also offering an affiliate service, how does that work?
David: We work with a number of consultants and fellow lawyers, who are often asked for advice on EU Representative compliance – Our affiliate service allows them to recommend our service, through the use of a discount code securing a discount for their client on the sign-up fee and we pay them an affiliate commission for the recommendation.
Once signed up – what does a company need to do?
Gail: Once signed up, customers receive a pack setting out the relevant documents governing the appointment, and they are also provided with wording in order to meet their requirements under Article 12, 13 and 14 of the GDPR with regard to notifying individuals of their EU Representative.