11 February 2020
The EU General Data Protection Regulation (GDPR) privacy law has a very broad reach. It has created a lot of work for a lot of businesses worldwide, as they have found themselves needing to bring their data protection practices up to EU standards.
Now you need to nominate a representative to serve as your company's main point of contact in the EU. A key part of this process, specified in the GDPR itself, is to create a "written mandate."
This is an appointment letter that makes everything official.
Let's see how you can produce a GDPR-compliant EU Representative Appointment Letter.
The EU passed the GDPR to help individuals and governments keep control over the processing of personal data. "Personal data" is any information that relates to an identifiable individual person such as a name, phone number, and even web browsing history and an IP address.
It's not just EU companies that process the personal data of people in the EU. The GDPR is written so as to apply to all companies that operate inside the EU - whether they are based in the EU or not.
If your company falls within the scope of the GDPR, Article 27 requires that you appoint an EU Representative in some circumstances.
Your EU Representative must be a person or company legally established in the EU. This means that they can be summoned before an EU court in a way that others in your company cannot. This will bring your company under the legal jurisdiction of the EU and make your company more accessible to EU authorities and consumers.
Your company needs to appoint an EU Representative if it:
You don't even have to be pursuing a profit. You just need to have operations that involve the processing of personal data in the EU.
Some examples include:
There is an exception if the processing of personal data is occasional, unless it involves sensitive personal data. However, this exception is quite narrow and any business that considers itself to have EU operations will likely need to appoint an EU Representative.
Even if your company has a one-off project that involves the personal data of people in the EU, it may need to make this appointment.
There are certain characteristics that define an EU Representative. They must be based in the EU. This means that they have some legal presence in one of the EU's Member States (Germany, Poland, Italy, etc.). They should be able to speak one of the 24 official languages of the EU.
An EU Representative can represent multiple companies at once. If your company has a Data Protection Officer (DPO), they cannot also serve as your EU Representative.
Apart from this, you're basically free to choose whoever you want. Your choice will depend on the context and needs of your business.
This can be an individual, or an organization such as a law firm, consulting company, privacy company or other commercial or non-commercial entity.
Article 27 requires you to nominate this person or company "in writing." That's why an EU Representative Appointment Letter is required.
There's not a lot of specific information in the GDPR itself about what your Appointment Letter should contain. But given the nature of the role, it makes sense to include certain sections.
Given that this is a formal letter, you should start off by including your company's name and address and the date.
You can then set out a couple of definitions.
These terms can be used to refer to the parties throughout the proceeding sections.
You should also give a brief explanation of the purpose of the letter. Note that you do not have to go into detail. Something like the following will suffice:
"Pursuant to Art 27 of Regulation (EU) 2016/679 (General Data Protection Regulation - "the GDPR"), [EU Representative's name] is hereby appointed as EU Representative to [your Company's name]."
Your letter should specify which country your EU Representative will be based in.
This might be obvious. For example, if you only export to Romania, your EU Representative should be based in Romania. If your website is written in Swedish, your EU Representative should be established in Sweden.
If you offer services to multiple countries, you should choose the one in which your business presence is most significant. Remember that your EU Representative should be able to speak the local language.
You should specify the roles and responsibilities of your EU Representative.
The GDPR is pretty quiet on what these are, but we can infer that your Representative is likely to be carrying out certain tasks because of the nature of their appointment.
Your letter could include a list such as the following:
The following tasks are the responsibility of the Representative:
- Help the Company provide individuals with access to their data subject rights.
- Act as the main point of contact for [your company's supervisory authority, e.g. the Information Commissioner's Office in the UK].
- Alert the Company to any correspondence received from the supervisory authority.
- Alert the Company to any inquiries received from data subjects.
- Help the Company in their obligation under Article 30 of the GDPR to maintain data processing records
It's important to note that you may not need to include that last point. You are usually exempt from this obligation if your company has under 250 employees. Read Article 30 of the GDPR if you want to make sure.
The sections that we have looked at so far basically cover everything that the GDPR mentions about the EU Representative
In addition to the basic information about the role set, you can also use the appointment letter to govern the terms of your company's relationship with its EU Representative.
As mentioned above, you have a lot of freedom with choosing your EU Representative. You might be appointing someone already working within your company (assuming they live in the EU). You might be hiring someone specifically for the role. Or you might be calling upon the services of an agency.
You can use your Appointment Letter to provide details of the EU Representative's pay and conditions. This should include information about their hours and notice period.
The only reference to these matters in the GDPR is the requirement that the EU Representative is readily available to carry out their work.
You can also use your appointment letter to make the limits of the Representative's role clear. You can use wording such as:
"The Representative shall not enter into any agreements on behalf of the Company. Except within the scope of their role as EU Representative (as defined above), the Representative shall not make representations on behalf of the Company without prior approval."
Depending on the nature of your relationship with your EU Representative, it may be wise to include a hold harmless (or indemnity) clause. This could protect your business against any legal damage caused by your Representative.
Hold harmless clauses often form part of freelance or partnership agreements. They are also common in Terms and Conditions agreements and Acceptable Use policies.
Your company cannot, of course, ask its EU Representative to accept liability for any breaches of the GDPR committed by your company. A hold harmless clause only serves to limit the damage caused by the actual actions or omissions of the person that has agreed to it. Those actions will normally involve breaching the broader contract in which the indemnity clause sits.
Here's an example of a hold harmless clause from Upwork's User Agreement:
As the drafter of this agreement with your EU Representative, you can insert a clause which states where legal disputes will be heard.
The Customer Terms and Conditions of Constant-Content contains a governing jurisdiction clause:
Constant-Content is a British Columbia-based company, and so it has selected British Columbia as its governing jurisdiction.
Again, this doesn't mean the country in which any claims that your company has infringed the GDPR will be heard. Such cases will be pursued in the country in which your EU Representative is based. This clause refers to legal disputes between your company and its EU Representative.
The nature of the role means that your EU Representative may be privy to confidential information about your company.
A confidentiality clause or "non-disclosure agreement" (NDA) will legally obligate your EU Representative not to reveal any confidential information to any non-authorized parties.
In certain circumstances, your EU Representative will still need to disclose certain information to a supervisory authority or a court, however.
Here's a relevant section of Zendesk's Master Subscription Agreement:
Note how it mentions what types of information will and will not be considered confidential. This helps put the EU Representative on notice and lessens the chance of a confidentiality violation.
If your company is subject to the GDPR but has no establishment in the EU, an Appointment of EU Representative Letter is a legal requirement.
Make sure you include information about:
Depending on the context of your relationship with your EU Representative, you could also use this letter to set out:
This is how Echo 360 does this:
This free, downloadable template helps you get started with: