Navigating the complexities of data protection regulations can be challenging, especially for organisations and businesses operating across borders.
The General Data Protection Regulation (GDPR) specifies that organisations located outside the EU, without an establishment in the region, must designate a Representative if processing the personal data of EU residents. The UK GDPR has the same requisite for organisations processing the personal data of UK residents.
This is a requirement for both data controllers and processors.
A controller is defined as a person or organisation that determines the means and purpose of processing personal data. A processor is a person or organisation that processes personal data only under the instructions of the controller.
In this blog, we help you understand whether your organisation needs an EU or UK GDPR Representative, or possibly both. Whether you are a data controller or processor, we answer some of the key questions frequently asked by businesses across the spectrum of industry sectors and sizes.
Question 1: What is a GDPR Representative?
A GDPR Representative is a person or organisation appointed to represent a controller or processor that handles the personal data of EU or UK residents and is located outside those territories.
There are two types of GDPR Representatives:
EU GDPR Representative: Required if you are a data controller or processor located outside the EU and offer goods or services to, or monitor the behaviour of, EU residents.
UK GDPR Representative: Required if you are a data controller or processor located outside the UK and offer goods or services to, or monitor the behaviour of, UK residents.
Representatives act as a point of contact for EU and UK-based individuals who want to exercise their data subject rights, and regulatory authorities that have queries about the data processing activities.
EXAMPLE: If an individual living in the EU wants to know what personal data a company in the US has stored about them (a right known as a Data Subject Access Request or DSAR), they would contact the company’s EU GDPR representative. The Representative would action this request and make sure the individual receives the information they are entitled to under data protection laws.
Question 2: Is our type of processing and volume of data considered occasional? If so, do we need a GDPR Representative?
This will depend on each individual situation, whether the type of processing and volume of data is deemed ‘occasional’, and whether an organisation is offering goods or services to EU or UK residents.
Generally, if data processing is occasional, and of low risk to the data protection rights of individuals and does not involve the large-scale use of special category or criminal offense data, you will not need to appoint a GDPR Representative.
EXAMPLE 1: A US medical device company sells goods to US customers. The company does not currently have any marketing activities within EU markets. However, they have acquired single EU customer. The personal data processing for this single customer would be deemed occasional as it is a one-off and will not occur on a regular basis, or only on a limited scale. In this situation, the company would not need an EU GDPR Representative.
EXAMPLE 2: A Canadian tech company sells software predominantly to North American customers and is expanding the business by advertising to EU and UK markets. The volume of EU and UK personal data processing is low, compared to the rest of the business. However, the company is specifically targeting EU and UK residents and offering goods and services as part of the business function. The company here would require both an EU and UK GDPR Representative.
It is important to note that even occasional processing of EU or UK personal data must still comply with the GDPR. This includes having a lawful basis for processing personal data and taking appropriate data security measures.
Question 3: Do we still need a GDPR Representative if we pseudonymise our data?
Pseudonymisation is a useful security technique to make it more difficult to identify individuals.
Pseudonymised data, sometimes known as coded data, is personal data that has been changed to prevent easy identification of a person without additional information. For example, names are replaced with aliases, addresses for regions, dates of birth with age ranges, etc. However, not all of these alterations need to be completed for data to be considered pseudonymised, and it will depend on the specific database. Any data that can relate to a particular individual should be altered if needed.
EXAMPLE: A life sciences organisation in the US is a sponsor for a clinical trial in the EU. The trial participants’ data are pseudonymised for safeguarding and security. As EU residents’ personal data is being processed, the sponsor must comply with the GDPR. Under the GDPR, pseudonymisation does not change the status of personal data as it remains ‘indirectly identifiable’.
Therefore, as the trial is designed specifically for EU participant data, and the data will be processed outside the EU, the organisation must appoint an EU GDPR Representative, unless they have an appropriate establishment within the EU. Even if the organisation has a data protection officer (DPO), they will still need a GDPR Representative, as the roles hold different functions (as explained later, in question 7).
Question 4: Our organisation processes both EU and UK personal data. Do we need both an EU and UK GDPR Representative?
If your organisation processes both EU and UK personal data and does not have a branch, office or other establishment in any EU, EEA or UK region, you may need to appoint both an EU and a UK GDPR Representative.
EXAMPLE: A lead generation company in Singapore targets EU and UK residents with a number of digital marketing campaigns. They collect, use and process various types of personal data including names, emails, phone numbers and addresses. As the company does not have a suitable establishment within either the EU or the UK, to comply with the GDPR, they would need to appoint both an EU and UK GDPR Representative as a point of contact.
It is important to note that as the UK has completely separated from the EU, it is considered a different jurisdiction for data processing.
UK organisations without an office or branch in the EU that process EU residents’ personal data will need to appoint an EU GDPR Representative. Likewise, EU organisations that do not have an office or branch in the UK and process UK residents’ data need to appoint a UK GDPR Representative.
Question 5: Our company is a small, family-run organisation. How do we find out if we need a GDPR Representative?
The main qualifying factor for the requirement of a GDPR Representative is whether the company processes the personal data of EU or UK residents and is located outside these areas.
Other factors include the type of processing, the volume of data and whether it is considered large scale. The size of the company is not of primary importance, but the volume and type of data processing are.
There isn’t a specific volume of data that triggers the need for a GDPR Representative, rather the volume relative to the size of the normal amount of processing. This can vary, depending on the industry sector.
EXAMPLE: A small tech company in China sells various apps to their main customer base in the UK. They want to enter the EU market and have several online marketing campaigns to attract more customers. The company processes names, addresses, and payment information. As an exercise app, it also captures and stores health information. The company does not have an office or branch in either the EU or UK, but they currently have a UK GDPR Representative. They will now also need to appoint an EU GDPR Representative to act as a point of contact for EU authorities and customers.
Special category data considerations:
Special category data refers to a particular type of personal data that is considered more sensitive and requires higher levels of protection.
It is important to note that when it comes to handling special category data, like health records or clinical trial information, it is often necessary to appoint a GDPR Representative. This is usually because the processing involves large amounts of sensitive information.
However, according to Article 27 (2)(a) of the GDPR, if a non-EU/UK company processes EU/UK residents’ personal data infrequently, and this processing does not involve large volumes of sensitive data and is unlikely to pose a risk to the rights and freedoms of individuals, then the company is not obliged to appoint a GDPR Representative. This provision is significant for smaller or less data-intensive non-EU/UK organisations, as it reduces their compliance burden under the GDPR.
Question 6: We engage a third-party company to handle some of our data processing activities that involve EU residents. Do we each need to appoint an EU GDPR Representative?
Controllers and processors need to appoint a GDPR Representative if they are located outside these regions and process the personal data of EU or UK residents.
If both the controller and processor are located outside the EU or UK, they will both need to appoint a suitable GDPR Representative.
EXAMPLE: A tech company in the US provides data analysis for another US tech company, who sells marketing services to an insurance company in the Netherlands. Both tech companies are processing the data of EU residents. Therefore, under the GDPR, both companies will need to appoint an EU GDPR Representative. As the insurance company is based in the EU, they do not need to appoint one.
It is important to note that a mechanism such as standard contractual clauses (SCCs) is required for international data transfers between controllers and processors, along with the necessary transfer risk assessment (TRA) or transfer impact assessment (TIA).
Read about SCCs for data transfers
Question 7: How does a GDPR Representative work with a data protection officer (DPO)?
A GDPR Representative and Data Protection Officer (DPO) have distinct roles.
Data protection officers work internally within organisations to inform, advise and monitor compliance with the GDPR.
GDPR Representatives act on behalf of companies not based in the EU or UK and facilitate external communications as required. They are the official point of contact for data subjects and supervisory authorities and should communicate in the language of the request.
The two roles can collaborate to ensure that data protection practices are effective and aligned with regulatory requirements.
EXAMPLE: A UK-based insurance company sells products to customers in the UK and EU. The company has a DPO and an EU GDPR Representative. The DPO is responsible for monitoring and managing compliance with UK GDPR and EU GDPR, advising on data protection obligations and acting as a point of contact for UK data subjects and the UK’s Information Commissioner’s Office (ICO). The EU GDPR Representative is the local point of contact for EU data subjects and each of the EU supervisory authorities. They handle any inquiries or complaints from EU customers and EU data protection authorities, and relay these to the DPO, liaising as required. The DPO advises the company on how to handle any EU inquiries to ensure compliance with EU GDPR. The two roles are distinct and separate, although they work together when needed to ensure the company is compliant when processing EU personal data and no conflict of interest is created.
In this example, the company has both a DPO and a GDPR Representative. For companies that do not have a DPO, the GDPR Representative would relay any inquiries or complaints from customers and data protection authorities directly to the company.
Summary
A GDPR Representative acts as a point of contact for data subjects and data protection authorities. There are two types – an EU GDPR Representative and a UK GDPR Representative.
The requirement for an EU or UK GDPR Representative is the same for both data controllers and data processors that handle the personal data of EU or UK residents, respectively, and does not depend upon the size of the organisation, but more the volume of data processing.
To summarise, a GDPR Representative will be required if:
- An organisation is located outside the EU/UK, and does not have a local office
- The personal data of EU or UK residents is being collected, stored or processed
- The data processing is not occasional and is part of the business function
- The data processing is related to the provision of goods or services, regardless of whether a payment is made
- The data processing is related to the monitoring of behaviour of EU/UK residents
- An organisation processes any special category data, even occasionally
If your business is based outside the EU and you process the data of EU residents, you will need an EU GDPR Representative, unless you have a local establishment. The same applies if your business is based outside the UK and you process UK residents’ data – you will need a UK GDPR Representative.
The DPO Centre can help with both EU and UK GDPR Representation
- Offices in Dublin and all 27 EU member states, as well as the UK
- The necessary ‘establishment’ details in the UK or any EU member-state to publish on your EU/UK facing privacy notice
- Access to one of the largest teams of experienced data protection professionals
- Specialist advice line, providing assistance, recommended actions, and appropriate responses
- Highly cost-effective solution
We have worked with over 800 clients globally across the spectrum of industry sectors, supporting their data protection compliance and bringing peace of mind.