Since the UK left the EU, many companies that were not previously required to do so, are now having to appoint either an EU or UK Representative. The requirement applies irrespective of whether the UK obtains an A status granted by either the EU Commission (EU) or UK government (UK) to third countries that provide personal data protection that is essentially equivalent to that provided in EU or UK law.... decision from the EU. This development has brought with it a number of questions around what a Representative is and what they do, and also how this role differs from that of a An independent data protection expert whose role includes the monitoring of internal compliance, advising on data protection obligations and acting as a contact point for data subjects and the supervisory authority.... (DPO), and whether a company’s existing DPO can also be their Representative. If you have been wondering the same, then this blog is here to help!
When considering the differences between Representatives and DPOs, the first port of call is to look at the UK and EU GDPR (subsequently, the GDPRs). Article 27 relates to UK or EU Representatives (subsequently, Representatives), whilst Articles 37-39 consider the role of the DPO. These articles define each role, who they apply to and what responsibilities they have.
As a starting point, it is important to point out that both roles only have the potential to apply where an organisation regularly processes the Information which relates to an identified or identifiable natural person.... of UK or EU residents.
Aside from this, the criteria upon which applicability is determined for both roles differs significantly. On the one hand, with regard to Representatives, Article 27’s applicability is based on geographic factors. Namely, if an organisation is based solely outside the EU or UK, the applicable GDPR requires it to appoint a Representative.
On the other hand, whether Article 37’s requirement to appoint a DPO will apply depends upon the scale of the processing being carried out. If an organisation processes personal data regularly and systematically on a large scale, it will need a DPO. Similarly, if special categories of personal data or data relating to criminal convictions and offences is being processed on a large scale, a DPO is required. Crucially, this is regardless of where the organisation is located.
The responsibilities undertaken by a Representative are fairly straightforward. The role essentially does what it says on the tin – acting as an organisation’s representative in either the UK or EU.
In practice, this means being a point of contact for supervisory authorities and data subjects and dealing with any issues that are brought to their attention. Data subjects should be able to contact the Representative if they have any queries or complaints about how their personal data is being handled, or if they would like to submit a rights request. Similarly, supervisory authorities should be able to get in touch with the Representative who should cooperate with them in the event that they want to investigate any complaints or initiate any enforcement action for non-compliance.
A key thing to note is that the role of a Representative is largely reactive. Although they should have a good understanding of how an organisation processes personal data, this is only insofar that it will enable them to maintain an accurate record of processing activities (RoPA) and assist them in communicating with data subjects and supervisory authorities. Their role does not stretch any further and is therefore neatly scope defined.
In comparison, although a DPO must also act as a point of contact for, and cooperate with, supervisory authorities, their responsibilities stretch much further than this as they are responsible for informing and advising the organisation and monitoring overall compliance with the relevant GDPR.
Informing and advising the organisation encompasses a wide range of responsibilities, from ensuring the introduction and maintenance of appropriate policies and procedures, conducting DPIAs and LIAs, delivering data protection training to organisation staff, and providing data protection-related advice and support across an organisation.
The exact tasks that a DPO must fulfil will differ depending on the organisation, however, it is clear that in every case it requires proactive steps to be taken towards compliance, which sets it squarely apart from the role of a Representative.
Can one person be both?
Depending upon the circumstances, an organisation processing the personal data of EU/UK residents may be required to appoint either a DPO or a Representative, both, or possibly neither. Where an organisation requires both a Representative and a DPO, a logical question may be whether one person can fulfil both roles.
Whilst this question has not been answered definitively, it has been suggested by the Irish Data Protection Commission (DPC) that having a single individual acting as both a Representative and DPO should be avoided due to the potential for conflicts of interest to arise given the differing focuses of the two roles. Thus, it is advised that organisations don’t try to kill two birds with one stone.
This conflict of interest can be mitigated by outsourcing one or both of the roles.
Whilst on the face of it the roles of DPO and Representative may seem similar, they are in fact clearly distinct. Not only do they apply differently, but they also have very different undertakings attached. Therefore, it is important that you are clear on which, if either, your organisation requires.
If you are considering outsourcing either of these roles, please see the following pages of our website to find out how we can help: