When faced with a data protection related quandary, most people turn to the web for an answer to their dilemma; scouring legislation, supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. guidance, or perhaps resorting to a good old Google search. In doing so, you may have noticed that when it comes to guidance, much is focused on the needs of Data ControllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data.. Data ProcessorsThird parties processing personal data on behalf of a data controller., however, are often left out in the cold, making it difficult to access the information needed to comply.
When it comes to appointing a Representative under Article 27 of the GDPR, the story is no different. In fact, we ourselves have perpetuated this, having written blogs about when Controllers need EU GDPR Representation, yet omitting to pay the necessary attention to Processors in this context. In this blog post, we seek to fill that gap.
As highlighted previously, the applicability of Article 27 is based upon geographical factors. Although this is the same for Processors, the situation is a little more complex.
Before we get stuck in, just a note to say that whilst we shall be talking in the context of EU Representation and the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation)., the following also applies in the context of UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU..
EU GDPR applicability – Article 3(2)
When it comes to considering whether Article 27 applies to a Processor, and thus whether a Representative is required, the first port of call should be to consider Article 3(2). Article 3 pertains to the Territorial Scope of the EU GDPR, and Article 27 states that it only applies where a Controller or Processor is brought into the scope of the EU GDPR by virtue of Article 3(2).
Article 3(2), for its part, covers organisations that are not established in the EU that processA series of actions or steps taken in order to achieve a particular end. the personal dataInformation which relates to an identified or identifiable natural person. of data subjects located within the EU, where the processing relates to the offering of goods or services to, or the monitoring of the behaviour of, individuals within the EU.
Article 3(2) therefore sets out a two-part test. First, the organisation must not have an establishment within the EU. This is simple enough to determine. The second part, however, may need closer examination as it requires that the organisation must be processing personal data in relation to:
(a) the offering of goods or services to data subjects within the EU (irrespective of whether payment is required); or
(b) the monitoring of their behaviour as far as their behaviour takes place within the EU
In other words, the processing activities must ‘target’ EU data subjects in some way. This is made more complex in the context of Processors because, in its guidance on the territorial scope of the EU GDPR (Guidance 3/2018), the European Data Protection Board (EDPB) states that “The ‘Targeting’ character of a processing activity is linked to its purposes and means; a decision to target individuals in the Union can only be made by an entity acting as a Controller.”
The EDPB adds that whilst only a Controller can decide whether to ‘target’ EU data subjects, Processors can be involved in the processing activities that occur as a consequence of this targeting. The EDPB, therefore, explains that when determining the applicability of Article 3(2) to a Processor, “the focus should be on the connection between the processing activities carried out by the Processor and the targeting activity undertaken by a Data ControllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data..”
Article 27 applicability
So, having laid out how the EU GDPR can apply to a Processor by virtue of Article 3(2), and stating previously that Article 27 applies to organisations to which Article 3(2) applies, it would seem safe to assume that our work here is done – well, perhaps not.
For, it seems, there may be one final factor that means not all Processors for whom the EU GDPR possibly applies by virtue of Article 3(2) have to appoint a Representative. That is, the Controller’s location. There has been an ongoing debate around whether the Controller’s location makes any difference to how Article 27 applies to Processors and, having done our research, the answer we have concluded is – maybe.
In essence, it has been suggested that if a Processor that falls under Article 3(2) of the EU GDPR is processing data on behalf of a Controller also located outside of the EU, it will need to appoint a Representative. But, if that same Processor was instead processing data on behalf of a Controller located within the EU, it would not have to appoint a Representative.
Why? I hear you ask. Well, for that we have to consider the purpose of a Representative which is essentially to act as a point of contact for both supervisory authorities and data subjects within the EU. Now, where a Processor located outside of the EU is processing personal data on behalf of a Controller located within the EU, the data subjects and supervisory authorities will already have easy access to someone who can deal with their queries – the Controller. And, given that the Controller is ultimately responsible for the processing carried out by the Processor, and for responding to data subjects’ rights requests, it seems hard to conceive of a situation in which the preferred option would be to go through a Processor’s Representative, only for them to contact the Processor who would then contact the Controller. As such, in these instances requiring a non-EU Processor to appoint a Representative serves little, if any, purpose.
Interestingly, the three examples (19,20&21) given in Guidance 3/2018 concerning when Article 3(2) would apply to Processors, thus triggering the EU Representative requirement, only involve instances whereby they are processing personal data for Controllers located outside of the EU. There are no examples that include a Processor outside the EU processing personal data on behalf of a Controller in the EU and consequently requiring an EU Representative. Therefore, it could be inferred that only the former circumstance triggers the EU Representation requirement. This does, however, remain a bone of contention and a grey area.
Conclusion
To conclude, it appears that the current state of play is likely to be this:
When considering what the role of a Representative is meant to be, this conclusion does seem to make sense. But, it must be noted that this comes with the caveat that this area of the EU GDPR has yet to be explicitly clarified by any guidance or case law. However, it is hoped that the introduction of the new UK Representative requirement – resulting from the UK GDPR coming into force at the end of 2020 – may prompt either the EU or the ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. to be forthcoming with some more concrete advice. If and when this does come, we shall be sure to update this blog post accordingly.
If your organisation is processing personal data on UK or EU residents, please visit our GDPR representative services page to find out more.
Fill in your details below and we’ll get back to you as soon as possible