Summary: If you’re a US company that’s not based in the European Union (EU) then it may be time to think about expanding your company. Read below first…
If a company is outside of the EU but provides services or products to the EU, then according to the GDPR, they will be required to appoint a representative in the EU as the contact person for all questions on data protection from EU citizens and data protection supervisory authorities. Similar to a Registered Agent in Delaware General Corporation Law, an EU representative would act as a liaison between the company and the EU. While it may come as a burden, it’s a necessary component for EU citizens to have a contact person from which to get answers. An infringement of this obligation can lead to administrative fines up to 2% of your annual turnover or 10 million EUR, whichever is higher. (Art. 83 (4) a) GDPR)
If your company has an offering of goods or services to natural persons in the EU (even if it’s free!), or if you are processing data related to monitoring of behavior of data subjects in the EU, then you should look into designating an EU representative. Online businesses almost certainly need a representative because most of them rely on personal data e.g. for personalizing purposes, or they provide data (processing) services. However, “behavior” will be an evolving definition when dealing with the GDPR as spaces like User and Entity Behavior Analytics (UEBA) are continuously able to attract further pieces of data to fit into the rubric of behavior. Still, according to the GDPR, behavior may include monitoring internet activity of data subjects in order to evaluate or predict her or his personal preferences, behaviors and attitudes.
What’s Not on the List
A broad definition is required as technology pushes towards collecting further types of data. However, not all data that a company processes would create the obligation for an EU representative.
Companies aren’t automatically required to have a representative simply because they offer good and services or monitor behavior. There’s are a few caveats (see, Article 27 (2) a) GDPR) that, although vague, may help companies to steer clear of the necessity of hiring a representative. The three
· The processing is “occasional”;
· The processing does not involve a “large scale” of “special categories of personal data” (i.e., health information) or information relating to criminal convictions; and
· The processing is “unlikely to result in a risk to the rights and freedoms of natural persons.”
Although the GDPR does not specify further who can, and cannot, serve as a “representative,” the regulation requires that the designated person or entity must have the authority to functionally accept service (i.e., be addressed) concerning any issue relating to processing that may arise from a supervisory authority (i.e., a data protection regulator in the EU) or from a data subject. The location of the representative would be in one of the EU Member states where the data subjects are located. So while the GDPR requires that a company has a documented procedure in place that allows for detecting, investigation and reporting personal data breaches, it also requires that a physical person in the EU should questions arise regarding the regulation.