Most people will be aware that Data Protection regulations changed within Europe on the 25th May 2018 with the implementation of the General Data Protection Regulation (GDPR). The GDPR applies to Data Controllers AND Data Processors that process personal data of individuals in the EU (NOT JUST EU CITIZENS!), regardless of where the organization is established in the world.
Whilst the GDPR is a European regulation, many organizations outside of Europe will be unaware that they are required to appoint a Nominated European Representative under certain conditions (as per Article 27 of the GDPR).
Organizations that wonder whether the GDPR applies to them, should answer the questions in the below option diagram:
If the answer is ‘yes, this entails that Article 27 does apply to your organization, which means you should start looking for a European representative. Because if you fail to appoint one then you could be fined up to €10,000,000 or 2% of global turnover (whichever is greater) pursuant to Article 84(4)(a).
This article is intended to guide organizations outside of the European Union in relation to appointing a Nominated European Representative.
How article 27 describes the role of a Nominated European Representative
The Nominated European Representative is a natural or legal person based in one of the EU member states. He or she effectively acts as a guardian or gatekeeper for your organization with regards to the processing of personal data.
Pursuant to Article 13(1)(a) and 14(1) in the GDPR, the Nominated European Representative must be identified in the privacy notices of the non-EU based company. He or she can be addressed in addition to or instead of the non-EU based company, in particular, with respect to communications with supervisory authorities and data subjects, on all issues related to data processing, for the purposes of ensuring compliance with the GDPR, pursuant to Article 27(4).
The Nominated European Representative represents the non-EU based company with respect to obligations under the GDPR, pursuant to Article 4(17).
In terms of active duties, the Nominated European Representative has three:
He or she shall maintain records of processing activities for the non-EU based company (which is the one that has to prepare and provide such records, pursuant to Article 30). This is critically important and where any liability upon the nominated European representative lies. Your nominated European representative must ensure that your records of processing activities are a true representation of what is actually going on. Hence, it is important to choose your nominated European representative wisely.
The nominated European representative may be subject to enforcement actions by supervisory authorities in the event of non-compliance by the data controller.
The Nominated European Representative shall co-operate with the supervisory authority pursuant to Article 31 on request.
It is important to note that the designation of a nominated EU representative does not affect the responsibility or liability of the controller or the processor that is based in a third country. Under GDPR Art. 27(4) the controller or processor is always accountable!
Personal Information vs PII – the difference that an EU representative will make you aware of
We are seeing lots of references to PII finding their way into privacy policies of European organizations and also into consultancy proposals given to clients. Personally Identifiable Information (PII) is the term used in the United States and Personal Information is meant to be the European equivalent of PII. Nonetheless, they do not correspond with each other exactly. All PII can be personal data but not all personal data is considered as PII; Personal information has a much broader scope than PII.
PII has a limited scope of data which includes: name, address, birth date, social security numbers and banking information. Whereas, personal information in the context of the GDPR also references data such as: photographs, social media posts, preferences and location as personal.
Article 4 of the GDPR states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If your organisation has only focused on the processing of PII thus far, then please keep in mind that an EU representative is obliged to broaden this scope of data processing to comply with Article 4 of the GDPR.
Why you need a Nominated European Representative and not a Data Protection Officer
Regularly we receive questions of organisations that are not clear whether they need a nominated representative or a data protection officer. A nominated European representative under Article 27 and a Data Protection Officer under Article 37 have quite different roles, tasks, functions and duties: A Data Protection Officer functions as the data protection authority within an organization, is intended to foster a compliance culture within your organization and shall assess GDPR compliance.
The nominated European representative acts more like a local representative outside your organization and will not be expected to foster a compliance culture within your organisation. The nominated European representative must solely serve as the contact point for all issues related to the organizations processing of personal data under the GDPR. This entails being a direct contact to any relevant supervisory authorities as well as for data subjects (users/customers).
In November 2018, the recently appointed EDPD (European Data Protection Board) confirmed what it expects of a GDPR Representative:
“With the help of a team if necessary, the representative in the Union must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.”
Guidelines for non-EU companies to determine their main establishment under the GDPR
The determination of a company’s main establishment is currently a hot topic under GDPR. As this topic is linked to that of the Nominated EU Representative, we will give some guidance. The main establishment is the country in which the main decisions on the purposes and means of the personal data processing are taken. It is in this country in which a multi-national company has to deal with the regulator (supervisory authority).
If the controller or the processor, does not have a company in the EU and appoints a Nominated European representative, they CANNOT avail of the One Stop Shop mechanism (OSS) and therefore must deal with local supervisory authorities in EVERY member state they are active in, through their Nominated European Representative.
However, if you have already set up a company in the EU you can avail of the One Stop Shop mechanism, but the determination of your main establishment will depend on your role in the data processing process.
The key to determining your organization’s main establishment if you are a data controller, is to identify which of your organization’s establishments has the power to take decisions on the purposes and means of your processing of personal data. This may be your place of central administration in the EU, but if your organization takes these decisions at another establishment and that establishment has the power to have the decisions implemented, then the other establishment will be your main establishment.
If you are a data processor, your main establishment will be the location of your central administration in the EU unless your organization does not have any central administration in the EU. If this is the case, the location where your organization’s main processing activities take place will be your main establishment.
If your organization is a joint controller with one or more other organizations, you should identify which establishment of the joint controllers has the power to take and implement decisions on the purposes and means of processing. That establishment will be the main establishment of the joint controllership.
If your organization is part of a group of undertakings, the main establishment for the group will be the establishment where the entity that controls the group takes decisions on the purposes and means of the group’s processing.
If your organization is engaged in a number of separate cross-border processing activities, it is possible that you will have more than one main establishment. You should not assume that all of your organization’s cross-border processing activities will share the same main establishment.
This will be the case where decisions on the purposes and means of one processing activity are taken in the context of one establishment, while the decisions for a separate processing activity undertaken by the same organization are taken in the context of a separate establishment.
A final note on appointing the nominated EU representative
In this article we have provided some guidance on appointing a nominated EU representative. For companies outside of the EU, this will be a role of some significance. At the same time the EDPB has not clarified all its expectations regarding the qualifications of the nominated European representative. For example, he or she does not necessarily have to be a legal person, but will need to bring forward some experience in working with supervisory authorities. Also, there are 24 languages in the EU and in the November 2018 communication the EDPB states that the Nominated EU representative should be able to communicate in all of them.
We therefore recommend that any organization appointing a nominated EU representative does this after careful consideration of the option diagram displayed in this article, followed by due diligence to ensure that their representative is able to handle requests as set out in this article.