Why you need GDPR Representation

Article 27 of the GDPR requires organizations outside the European
Economic Area (EEA) that process EEA residents’ data on a regular basis to
appoint a Representative. The Representative is required to:

  • Be the point of contact in the EU for data subjects and supervisory
    authorities from each of the member states
  • Enable supervisory authorities to pursue enforcement actions within
    the EEA

After Brexit, the UK will cease to be a member of the EU, therefore:

  • Organizations from outside the EEA who do not have a presence inside
    the UK will need a Representative in both the EEA and the UK
  • UK organisations will need a Representative in the EEA
  • EEA organisations will need a Representatives in the UK

This page explains why organisations must appoint a Representative.  It outlines the key responsibilities of the role and how they are carried out.

WHAT THE GDPR REQUIRES OF A REPRESENTATIVE

Responsibilities

ok2
The Representative is required to:

  • Co-operate with the supervisory authorities
  • Facilitate communication between data subjects and your organisation
  • Be readily accessible to data subjects in all relevant member states
  • Maintain a Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR

ok2
Supervisory authorities can hold Representatives liable for non-compliance of both the Representative themselves and the organisation they represent

The Position

ok2
The Representative:

  • Is appointed to represent data controllers or processors that are not established in the Union
  • Must be established in one of the member states where the controller or processor’s data subjects reside
  • Can be subject to enforcement proceedings for non-compliance by the controller or processor

Representation for Non-EU Data Controllers - GDPR DPO Services
ok2
The Representative can be a person or company, but with a lead contact assigned
ok2
The Representative appears on your privacy policy as the contact for EU data subjects

YOUR GDPR REPRESENTATIVE SHOULD WORK WITH YOU TO:

Set up your GDPR Representation

ok2
Ensure your privacy policy displays the Representative’s contact details
ok2
Understand your dataflows
ok2
Review previous gap analysis and impact assessments
ok2
Ensure adequate security measures are being taken to protect EU residents’ data
ok2
Be aware of any previous breaches or non-compliance
ok2
Establish a copy of your Records of Processing Activities (RoPA)

Provide ongoing GDPR Representation

ok2
Maintain and update your RoPA on an ongoing basis
ok2
Translate and respond to queries from European Data Protection Authorities and Data Subjects
ok2
Log and, where appropriate, report breaches to the relevant regulator
ok2
Receive and log data subject rights requests and advise on suitable responses
ok2
Advise on data protection regulatory issues that impact your organisation

If you would like to speak to us about any of our Data Protection consultancy services

 

Contact Us