The obligation to establish a representative in the European Union is one of the new solutions introduced by the RODO for entities from third countries, directly related to the territorial scope of the Regulation. Especially those entrepreneurs who direct their trade offer to EU citizens should assess whether they are obliged to establish their representative in the EU.
Who has the obligation to appoint a representative?
Both the administrator and the entity processing personal data that does not have an organizational unit in the EU, which meets all the following conditions indicated in art. 3 par. 2 RODO:
- processes personal data of data subjects who are within the territory of EU,
- processing activities are related to:
- offering goods or services to data subjects in the EU, irrespective of whether they are required to pay; or
- monitoring their behavior, as long as this behavior occurred on the territory of EU,
unless there is an exception to art. 27 sec. 2 of GDPR. In order to be exempt from the obligation to appoint a representative, a private sector entity must collectively:
- process personal data only sporadically,
- not to process particular categories of personal data on a large scale (so-called sensitive data) or personal data on convictions and offenses,
- process data in such a way that it is unlikely that, due to its nature, context, scope and purposes, this would lead to the risk of violating the rights or freedoms of natural persons.
Who can be a representative?
A representative may be both a natural person residing within the EU and a legal person seated in the EU. At the same time, it should be acknowledged that on the basis of the GDPR, this concept will include not only the registered office but also the place in which the main part of enterprise is run.
One representative may act on behalf of several entities. A representative does not need to be established in every EU country where the data subjects reside - it is enough to ensure that the representative can also be contacted by those who reside in other EU countries to which services and goods are directed (or are monitored). The obligated entity can freely choose the EU country in which it establishes a representative, it is only good practice that it is precisely the country in which the data subjects are located. In order to fulfill its tasks correctly, the representative must be able to communicate with the data subjects and the supervisory authorities in their language.
How to set up a representative?
In order to appoint a representative, entity should authorize this person in writing to provide that, for the purposes of ensuring compliance with the GDPR, this person can be addressed in matters related to the processing of data, in particular by:
- data subjects,
- supervisory authorities.
- without or instead of the data controller or processor.
The representative should accept the authorization. The fact of establishing a representative does not need to be taken to the supervisory body as it is the case of data protection officer. However, the information about the representative and his contact details should be included in the content of the information clause.
What are the duties of a representative?
The role of the representative is, first of all, to facilitate communication between data subjects and the controller or processor in order to allow them to exercise their rights related to the processing of data, e.g. the right to oppose the processing. He also cooperates with the supervisory authorities, in particular by providing information needed to carry out their tasks.
The representative is also obliged to keep a record of processing activities, based on information provided to him by the data controller or processor.
What are the sanctions for non-compliance with the obligation to appoint a representative?
The financial penalty for not appointing a representative is up to 10,000,000 EUR and in the case of an enterprise - up to 2% of its total annual global turnover from the previous financial year.