For companies that are based outside of the EU, the thought of GDPR (The General Data Protection Regulation 2016/679) can be daunting. This EU regulation on data protection and privacy applies to almost all companies operating in the EU that process data on EU nationals, regardless of whether they are based inside or outside of the area. The fines for non-compliance can be intimidatingly high and that’s why it’s essential for all companies to familiarise themselves with GDPR and make sure to stay on top of their customers’ data needs. Taking this into account and making sure your business model is compliant are key steps when working in the EU.
When does a company need an EU representative?
Companies that are not established in the EU but provide goods and services to EU citizens must comply with GDPR Article 27, which requires them to have an EU representative. Generally, this applies to companies that process a lot of personal data on a daily basis, or those that process sensitive data. These organizations typically have more than 250 employees and need to appoint an EU representative who can serve as a liaison between the GDPR and their activity.
What is the role of an EU representative?
GDPR representatives play an essential role in ensuring GDPR compliance and secure data protection of their business. As an authorised agent, GDPR representatives are responsible for receiving legal documents from national data protection authorities on behalf of the company, maintaining records of data processing activities, and communicating GDPR requirements to the business’s data subjects. The contact details of the GDPR representative should always appear in the business’s privacy policy. GDPR representatives have a significant responsibility in protecting both personal user data and upholding GDPR regulations.
Where must an EU representative be located?
GDPR (General Data Protection Regulation) requires that all companies collecting, processing, or storing data from EU citizens must have a GDPR representative located in the same EU member state where the data originates. For instance, if a Chinese company is collecting and processing data from Spanish data subjects, then the GDPR representative must be situated in Spain. In cases when the company collects, processes, or stores data from citizens of multiple EU member states, they can decide on the most convenient location for their GDPR representative.
How do you appoint an EU GDPR representative?
According to GDPR (General Data Protection Regulation), it is mandatory for businesses and organizations in the European Union to appoint a representative in writing, with clear information as to who has been appointed. The document should detail the company’s name and address, the EU representative’s name and contact info and include all relevant contractual terms such as hours worked, termination notice, pay rate and a non-disclosure.
While having a GDPR representative can ensure that all GDPR requirements are being met, this does not affect your own responsibility or liability under the EU GDPR.
EU GDPR representative services
It is important to thoroughly consider your options when choosing an EU representative for GDPR compliance. This should include researching the representative’s experience, location, costs and terms of service, as well as how flexible they are in providing data protection and privacy services in the future. If you’re unsure about GDPR requirements that apply to your business, Spaans&Spaans can assist with GDPR compliance and guidance on good data management practice.
We also offer EU GDPR representatives as a service. Please contact us for more information.