GDPR Appointment of EU Representative Letter
Do you process the personal data of people in the EU, supply them goods or services or monitor their behavior?
If so, you must comply with the GDPR, even if your company is established outside of the EU.
A lesser-known part of complying with the GDPR is the appointment of an EU representative. The requirement is spelled out in Article 27 of the GDPR.
If EU data subjects don't have an EU Representative to contact, then it is immediately obvious.
Should EU compliance officials spot that you don't have an EU representative, they may consider it a sign of deeper non-compliance and you could face an audit.
In addition to nominating an EU representative, you'll also need to write a letter confirming the appointment of your representative.
What is an EU Representative?
Your EU representative is the face of your company for the EU and the GDPR. This individual or organization must be located in an EU member state where your business has customers.
It will be the way your EU data subjects can easily get in touch with your company regarding questions, concerns and when exerting their rights under the GDPR.
When Do You Need an EU Representative?
As per Article 27, you'll need an EU representative if you're a data processor or data controller that's not located in the EU, but that processes data of people in the EU in order to:
- Offer them goods or services, even for free, or
- Monitor their behaviors as relates to their activities in the EU
There is an exception to this requirement. An EU representative will not be required even if the above is met if the processing:
- Is occasional,
- Doesn't include large scale processing of special categories of data (religious beliefs, sexual orientation, race, genetic data, etc.), or
- Doesn't include processing of data related to criminal convictions and offenses, and
- When the nature, context, scope and purposes of the processing is unlikely to result in risks to the rights and freedoms of individuals
Public authorities and public bodies are also not required to have an EU representative.
To comply, you only need a representative based in one country where you control or process data. You don't need a representative for every EU country you interact with.
If you began operations prior to the GDPR and processed data from European citizens, you may have already had to appoint a representative.
Directive 95/46/EC, which served as the previous privacy law in Europe, stated that a "controller must designate a representative established in the territory of [a] Member State..." where the controller "makes use of equipment, automated of otherwise, situated on the territory of the said Member State..."
How Does an EU Representative Differ From a DPO?
Some companies confuse the role of EU representatives and Data Protection Officers (DPOs). The rules for appointing a DPO fall under Article 37.
In addition to featuring different requirements for appointing the roles, the nature of each role differs fundamentally as well.
A DPO is an active in-house role. In their role, they direct the GDPR-compliance program and the company's privacy efforts. They exist to support a compliance culture that protects EU citizen's data.
An EU representative is a passive external role. They are the point of contact for EU citizens to get in touch with your company about their data. Largely, they serve as a local post box for EU citizens and EU authorities. Companies with an EU office don't need need to appoint a representative.
What Does an EU Representative Do?
The representative has three main active roles:
- Keeping records of data processing activities
- Receiving inquiries and complaints from data subjects
- Cooperating with supervisory authorities (as per Article 31)
Having an EU representative allows EU citizens to easily and efficiently get in touch with companies outside of the EU that process their data.
How to Create an Appointment of EU Representative Letter
If you need an EU representative, you'll need to formally appoint this individual and demonstrate your relationship. Article 27(1) requires this to happen "in writing" and does not explicitly state you can use a verbal or electronic agreement.
An informal letter is also helpful in expressing your relationship with your EU representative. You should then make the letter publicly available to your customers so that those protected by the GDPR have easy access to it.
For completeness, your letter needs to include the following information:
- Legal entity name
- Name of EU representative
- Description of the role
- Contact details of EU representative
MAGSEAL provides a useful example in its own letter nominating Delphic HSE Solutions Limited as its EU Representative for a different type of legislation - the EU Regulation on the Registration Evaluation Authorization and Restriction of Chemicals:
The letter produced by MAGSEAL provides the title of the company operating as their EU representative (Delphic HSE Solutions Limited) and the contact details for both technical and administrative inquiries. You'll notice that the contact details are personal details - not general "[email protected]" or customer service numbers. You need to name a specific contact and specific contact information.
You may also want to include a description of the roles and duties of the representative to create clear boundaries for the representative..
If your non-EU business falls under the scope of the GDPR and you don't fall under one of the exceptions for needing an EU representative, you'll need to appoint one to be compliant with the law.