The General Data Protection Regulation (GDPR) is set to come into force on 25 May 2018.
The GDPR has raised the concept of an EU representative for firms that may be caught by the rules on processing data in the EU without an EU presence. These representative firms of non-European companies are unlikely to be relevant to most fund management companies and we explain why.
For the rules to apply, the relevant company must provide products or services in the EU, but, above all, it must systematically monitor the behaviour of people in the EU. If this is the case and you also do not have an office in the EU, then – under the GDPR rules – you must appoint a representative in the EU. This person/company will act as the main contact for any questions and concerns regarding data protection from any EU citizen or any data protection supervisory authority.
The representative must be established in one of the EU Member States where the data subjects whose personal data the company processes are located. In the case of the company processing personal data from more than one Union country, it is open to choose itself where its representative should be established. The best jurisdiction for the representative may be the one
- in which the company has the most EU data subjects,
- where it focuses its targeting of EU data subjects, or
- where it conducts the most extensive monitoring.
There is only one exemption to the obligation of mandating a representative, which is if the processing of personal data in your company only happens occasionally and is therefore unlikely to result in a risk to the rights and freedoms of natural persons (see Art. 27 (2) a)).
Generally, these rules will not concern asset managers, as most will not systematically monitor the behaviour of people, however this will be subject to relevant definitions and should be considered carefully. If the rules might apply to your firm, we set out below what this may mean.
Find below answers to the most commonly asked questions regarding the EU-based representative required under the GDPR.
1. Which companies need an EU representative under the GDPR?
Companies that do not have an office in the EU yet provide their products or services within the European Union must appoint a representative in the Union if they process personal data (GDPR Art. 27(1)).
The GDPR extends the “territorial” scope of its application to processors and controllers who have their registered office outside of the European Union. The GDPR also applies to the processing of personal data of individuals residing in the EU, regardless of their nationality (GDPR Art. 3(2)). The focus is therefore not set on where the company is located and where the processing takes place as long as the processed data involves individuals residing in the EU.
Non-EU-based companies that offer products or services to “data subjects” (i.e. an identified or identifiable natural person) in an EU country need to fulfill the requirements stated in the GDPR. This regulation is also applicable to services that are offered for free. The same applies to non-EU-based companies that monitor the behaviour of EU residents (e.g. by creating a profile), as long as their behaviour takes place in the EU.
2. Who can be appointed as your EU representative?
Any natural or legal person who resides in one of the EU Member States can be appointed as a representative in the Union for a non-EU-based company (GDPR art. 4 (17)).
Please note that the representative must have a business or personal residence in the EU. Additionally, the representative’s residence must be in one of the EU Members State where the data subjects whose personal data the company processes are located (GDPR Art. 27(3)).
Because the Union representative serves as the main contact person for anything concerning the company’s processing of personal data under the GDPR, they need to be capable of communicating efficiently with the data subjects and cooperating effectively with the relevant data protection supervisory authorities.
3. What are the duties of an EU representative?
The main responsibility of the representative is to operate as the liaison between the data subjects and the supervisory authorities. Therefore, the representative acts on behalf of the controller/processor with regards to their obligations under the GDPR.
Additional tasks of the representative include maintaining records of processing activities (GDPR Art. 30 (1) and (2)) and – where applicable – making the records available to the supervisory authority (GDPR Art. 30(4)). It is also important to note that the appointment of a representative does in no way replace or limit the responsibilities of the company located in a country outside of the European Union.
4.What is the best way to mandate an EU representative?
The appointment of an EU representative for companies without an office in the EU must be made in writing (GDPR Art. 27 (1)).
The written agreement or the contract should at least state the rights and obligations of the representative. An oral appointment of the representative is excluded.
5. Are there any exemptions to the obligation of appointing an EU representative?
The GDPR includes exemptions to the obligations of appointing a representative for controllers or processors who are not based in the EU.
Concerning Article 27(2)(a) of the GDPR, a representative is not required when a company is processing EU personal data, if
- personal data is only processed occasionally
- processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences and
- processing is unlikely to result in a risk to the rights and freedoms of data subjects.
6. To what extent can the EU representative be held liable?
Appointing the representative in the EU is made without prejudice to legal actions, which could be initiated against the controller or processor. Therefore, the representative should be responsible to meet the regulatory obligations when processing personal data of EU residents.
Moreover, a representative may be subject to enforcement actions by data protection supervisory authorities in the event of non-compliance by the controller.
If Article 27 applies to your business and if you fail to appoint a Data Protection Representative you could be fined up to (the greater of) €10,000,000 or 2% of global turnover (Article 84(4)(a)).
Laven is here to help ensure your firm and staff are up to speed with the scope and responsibilities of the GDPR with our GDPR Services, which include training, gap analysis, providing memorandums for the board and ongoing monitoring through our Digital Compliance Assistant software.
Contact us here for more information.