Summary: If youâre a US company thatâs not based in the European Union (EU) then it may be time to think about expanding your company. Read below firstâ¦
- Any organisation providing goods and services in EU must have a representative in EU in one of the member states where data subjects are located.
- GDPR covers organisations involved in analysis of behavioural patterns of EU residents within the regulation.
- Companies processing only occasional, small-scale or does not imply risk to data subjects can be relieved from the mandate of having an EU representative.
Article excerpts from my forthcoming book – 99 Articles on the GDPR
If a company is outside of the EU but provides services or products to the EU, then according to the GDPR, they will be required to appoint a representative in the EU as the contact person for all questions on data protection from EU citizens and data protection supervisory authorities. Similar to a Registered Agent in Delaware General Corporation Law, an EU representative would act as a liaison between the company and the EU. While it may come as a burden, itâs a necessary component for EU citizens to have a contact person from which to get answers. An infringement of this obligation can lead to administrative fines up to 2% of your annual turnover or 10 million EUR, whichever is higher. (Art. 83 (4) a) GDPR)
If your company has an offering of goods or services to natural persons in the EU (even if itâs free!), or if you are processing data related to monitoring of behavior of data subjects in the EU, then you should look into designating an EU representative. Online businesses almost certainly need a representative because most of them rely on personal data e.g. for personalizing purposes, or they provide data (processing) services. However, âbehaviorâ will be an evolving definition when dealing with the GDPR as spaces like User and Entity Behavior Analytics (UEBA) are continuously able to attract further pieces of data to fit into the rubric of behavior. Still, according to the GDPR, behavior may include monitoring internet activity of data subjects in order to evaluate or predict her or his personal preferences, behaviors and attitudes.
Whatâs Not on the List
A broad definition is required as technology pushes towards collecting further types of data. However, not all data that a company processes would create the obligation for an EU representative.
Companies arenât automatically required to have a representative simply because they offer good and services or monitor behavior. Thereâs are a few caveats (see, Article 27 (2) a) GDPR) that, although vague, may help companies to steer clear of the necessity of hiring a representative. The three
Â· The processing is âoccasionalâ;
Â· The processing does not involve a âlarge scaleâ of âspecial categories of personal dataâ (i.e., health information) or information relating to criminal convictions; and
Â· The processing is âunlikely to result in a risk to the rights and freedoms of natural persons.â
Although the GDPR does not specify further who can, and cannot, serve as a ârepresentative,â the regulation requires that the designated person or entity must have the authority to functionally accept service (i.e., be addressed) concerning any issue relating to processing that may arise from a supervisory authority (i.e., a data protection regulator in the EU) or from a data subject. The location of the representative would be in one of the EU Member states where the data subjects are located. So while the GDPR requires that a company has a documented procedure in place that allows for detecting, investigation and reporting personal data breaches, it also requires that a physical person in the EU should questions arise regarding the regulation.