The General Data Protection Regulation (“GDPR”) requires organizations established in the European Union (“EU”), as well as entities established outside the EU that meet specific requirements outlined here, to take steps to protect individuals’ personal data. For example, organizations established outside the EU that are subject to the GDPR must designate a representative within the EU to ensure compliance with Article 27 of the GDPR. Similarly under Article 37, companies that meet certain thresholds, which are discussed later in this article, must appoint a Data Protection Officer (“DPO”).
At first glance, these roles can seem similar. Yet, there are substantial differences regarding the responsibilities of each role, the requirements to serve in these capacities, and the circumstances that require their appointment. Understanding these differences is of the utmost importance to ensure compliance with these GDPR obligations. Thus, this article focuses on explaining: (1) when these requirements apply; (2) the distinctive characteristics of each role; and (3) whom organizations can choose to appoint to serve in these roles.
Representatives in the EU
Do I Need to Designate a Representative in the EU?
If your organization is not established in the EU and is regulated by the GDPR, you will likely need to designate a representative in the EU. However, there is an exemption to this requirement. Organizations may demonstrate that the processing of personal data of individuals in the EU is: (1) occasional; (2) does not involve large scale processing of special categories of data or data relating to criminal convictions; and (3) is unlikely to result in privacy intrusions. In practice, this exemption rarely applies. Websites accessible from the EU, for instance, likely process personal data from individuals in the EU every few seconds, and in such cases, it would be difficult for an organization to argue that processing is occasional.
If you have any questions about whether your organization should appoint a representative in the EU, VeraSafe’s Professional Services team can help.
What Is the Role of the EU Representative?
Representatives under Article 27 serve as a point of contact for supervisory authorities and data subjects in the EU. For this reason, the representative’s identity and contact details must be made available in the privacy policies and information notices provided by the organization to data subjects.
The duties of an EU representative can be both active and passive. In terms of active responsibilities, the representative must: (1) maintain records of data processing and make them available to the supervisory authorities upon request; (2) cooperate with supervisory authorities; and (3) facilitate the exchange of communication between the foreign organization and data subjects (mostly in relation to data subject rights requests) and the supervisory authorities. In terms of passive responsibilities, an EU representative must receive legal documents for the foreign organization as an authorized agent, and an EU representatives may be subject to enforcement proceedings if the organization infringes the GDPR and the foreign organization cannot respond.
Who Can Be an EU Representative?
An EU representative may be an individual or entity. They must be located in the same member state as the data subjects. If the organization processes data from individuals in multiple states, any of those member states may be chosen, provided the representative is accessible to all the supervisory authorities and the organization’s data subjects from across the EU.
Naturally, organizations that possess subsidiaries or affiliates in the EU can appoint them as their representative under the GDPR. If not, an employee based in the EU could be hired to serve as a representative, but, due to the potential liability faced by EU representatives, external service providers are often the most feasible option in practice.
Traditional sector-specific limitations, which create insurance and tax hurdles, often discourage law firms from providing these services. For example, the enforcement actions against a representative may not be covered by a law firm’s malpractice insurance.
However, other types of service providers operate in a more flexible environment that enables the implementation of innovative strategies to mitigate risk and avoid conflicts of interests. Such is the case with VeraSafe’s EU Representative Program. VeraSafe, a leading EU representative service provider recognized by the International Association of Privacy Professionals, offers professional EU representative services through our establishments in the Czech Republic, The Netherlands, and Ireland. Our team focuses on fast and accurate service, and we are a seamless facilitator in communications between you, data subjects, regulators, and vendors. To find out more about this service, schedule a free consultation by clicking here.
Data Protection Officer
Do I Need to Appoint a DPO?
Whether acting as a data controller or a processor, your organization must appoint a DPO if it is a public authority or body, or, more commonly, if the core activities of your organization (a) require large-scale, regular, and systematic monitoring of individuals (e.g., online behavioral advertising); or (b) consist of large scale processing of special categories of data or data relating to criminal convictions and offenses (e.g., search engines, hospitals, insurance companies, web analytics companies). A DPO may also be mandatory under certain member state’s laws (e.g., German law requires the appointment of DPOs for practically every business with ten or more employees), but even when the GDPR does not require the appointment of a DPO, European authorities recommend it as they consider the DPO the cornerstone of accountability, facilitating compliance with data protection obligations.
This obligation applies regardless of where the organization is established. Moreover, European data protection regulators have recommended that the DPO be located within the EU, even if the organization is not.
What is the Role of the DPO?
The primary responsibility of the DPO is to ensure that the organization processes the personal data of its staff, customers, service providers, and any other individual in compliance with the applicable data protection laws, but the role of the DPO does not end there. The DPO must educate the organization and its staff members about data protection matters, conduct compliance assessments at regular intervals, and act as a point of contact for data subjects and supervisory authorities. The DPO must also provide advice regarding Data Protection Impact Assessments, and the DPO can be tasked with maintaining the records of the processing activities performed by the organization.
Finally, if the organization is subject to a data breach, the DPO must be consulted regarding the organization’s notification and communication obligations under the GDPR.
Who Can Be a DPO?
The GDPR allows for a DPO to be appointed in-house or externally. A group of undertakings can designate a single DPO, provided that it is easily accessible from each establishment. In all cases, however, a DPO must be an expert in data protection, independent of the organization, adequately resourced, and report to the highest management level in the organization.
In light of the complex and highly specialized knowledge that a DPO must have, and in consideration of the prohibition against conflicts of interest, outsourcing the DPO role to a specialized service provider is often the most practical and reliable way to satisfy this obligation under the GDPR. Appointing a DPO from within an organization is permissible, but few companies have data protection experts on staff. In addition, the executives who may qualify for such a position based on their skills will often be encumbered with the inherent conflicts of interest and biases that come with corporate leadership roles.
If you are looking for a Data Protection Officer with highly specialized expertise who can maintain the neutrality and impartiality required by the GDPR, VeraSafe can help. VeraSafe’s team of European and U.S. privacy professionals and IT security experts are uniquely well-positioned and equipped to serve as your DPO team. We already fulfill the DPO role for organizations ranging from very large enterprises and a top CRM provider, to small and medium-sized enterprises. If you would like to know more about VeraSafe’s Data Protection Officer Service, schedule a free consultation with a VeraSafe data protection expert today.