A GDPR Representative is an EU-based entity that acts as a point of contact for non-EU organizations who collect, process, or store data relating to EU subjects.
The General Data Protection Regulation (GDPR) affects every organization that collects, processes, or stores data relating to EU subjects regardless of the organization´s location. Under Article 27 of GDPR, organizations that do not have a physical presence within the EU may be required to appoint an EU-based representative to act as their point of contact.
The reason for this requirement is so that EU citizens and national authorities can contact organizations outside the EU without having to go through potentially confusing, difficult, and costly channels. For non-EU organizations, the benefit of having a GDPR Representative is that they can to respond to enquiries within the regulatory response period of one month to in order to avoid a potential administrative fine of up to 10 million Euros or 2 percent of global turnover.
However, not every non-EU organization is required to appoint a GDPR Representative, as exceptions exist to Article 27 – and Article 3(2) on which Article 27 is based. If a non-EU organization does not process “large volumes” of data or “special category” data, it will likely be exempt from appointing a GDPR Representative. Organizations unsure about whether a GDPR Representative is required or not should seek professional legal advice.
Unlike a Data Protection Officer – who is usually an in-house employee with responsibility for ensuring GDPR compliance – a GDPR Representative can be any individual or business located within the EU. GDPR stipulates the representative should be located in the country from which data originates; but organizations with an EU-wide presence can choose a representative located in any member state.
The responsibilities of a GDPR representative are primarily to receive “rights” requests from EU citizens (i.e. Subject Access Requests) which are then forwarded onto the organization controlling or processing data to be attended to. The representative should ensure rights requests are responded to within a month and also maintain records of the organization´s data processing activities so they can be provided to a national data protection authority when requested.
One further responsibility of a GDPR Representative is to keep organizations informed of any changes to GDPR or how the regulation is being enforced by individual member states. In several cases, national data protection authorities have issued their own guidance for how GDPR should be applied, and it is important for organizations to be aware of any nuances that may result in a fine for non-compliance.
One of the key requirements of Article 27 for non-EU organizations is that the contact details of the GDPR representative should be published in the organization´s Privacy Notice. If a non-EU organization fails to publish its representative´s contact details, it is immediately apparent to national data protection authorities that the organization has failed to comply with this requirement.
The concern for national data protection authorities is that, if an organization has failed to comply with this relatively simply requirement, where else in its EU-facing operations is it also failing to comply with GDPR. Having a the contact details of a GDPR Representative published in a Privacy Notice is an indication an organization is complying with GDPR and will help the organization avoid further scrutiny.