In order to process personal data concerning EU residents in connection with the sale of goods or services or the monitoring of EU residents (either as a controller or a processor), you may need to  appoint a representative within the EU. This requirement (under Article 27 of the GDPR) is sometimes referred to as the “hidden obligation” as many organisations are unaware of it. From the end of this year, when the UK will no longer be subject to the Brexit transitional arrangements and will formally cease to be part of the EU, UK businesses will need to appoint such a representative if they do not have a formal presence within the EU but offer goods or services to individuals in the EU or monitor their behaviour.

Appointing a representative will not be a straight-forward process. The selection process will take some consideration, since the representative will have authority to represent the relevant controller or processor (the non-EU entity) in respect of all of their obligations under the GDPR within the EU, including before supervisory authorities (regulators). It will be crucial to appoint someone with a good grasp of data protection laws and an understanding of the nature of the processing activities being undertaken by the non-EU entity. The representative should be appointed in writing and their details will need to be made available to EU data subjects and regulators (such as on the non-EU entity’s website and in its privacy policy).

In addition, the representative must be able to facilitate communications with EU data subjects and maintain a record of processing activities on behalf of the non-EU entity. The representative will need to be located in the member state where the relevant EU data subjects are located, or where most of them are, and should be able to converse in the local language (or ideally multiple languages of the EU). Some non-EU entities operating across the EU may need to consider appointing multiple representatives. The European Data Protection Board has advised that a representative should not be the same person as the non-EU entity’s data protection officer or their processor due to the potential for a conflict of interest.

Failing to appoint a representative could result in a fine of up to (the higher of) €10 million or 2% of annual worldwide turnover.

Although it is ultimately the responsibility of the non-EU entity to comply with the GDPR with respect to EU data subjects, regulators are able to initiate enforcement action through a representative, including addressing fines and penalties to the representative.

Public authorities are exempt from the requirement to appoint an EU representative, as are any non-EU entities that only process occasional personal data that does not include a large amount of special category or criminal data and which is unlikely to result in a risk to the rights and freedoms of individuals.

Of course, given the intended incorporation of the GDPR into UK data protection law at the end of the transition period, EU entities without a presence in the UK may correspondingly need to appoint a UK representative from 1 January 2021.

Please get in touch with our data protection team if you require more information or need help with appointing an EU representative.