Article 27 of the GDPR discusses the need for some companies outside of the EU to appoint a Member State Representative within the EU to serve as a point of communication for ensuring your company's compliance with the GDPR.
Presumably, this is to make communication less of a burden for authorities and data subjects who have questions or concerns about your policies and compliance with the GDPR. This will cut down on communication delays resulting from time zone differences among other things.
There seems to be some confusion in the business community about who needs to appoint an EU Member State Representative and who does not. There also seems to be some uncertainty about how an EU Member State Representative differs from a Data Protection Officer and whether one or both are required.
In this article we will explain what an EU Member State Representative is, who needs one, and how they differ from Data Protection Officers. If you are also unsure about whether or not you need to appoint a Data Protection Officer, you can read our article covering that topic here.
Article 27 is the primary portion of the GDPR pertaining to EU Member State Representatives.
Article 3 covers the territorial scope of the regulation, stating that companies both within the EU and companies outside of the EU that handle the personal data of EU citizens must comply fully with the GDPR.
Section 1 of Article 27 refers to Article 3 where it states that data controllers and data processors not located in the EU must designate a representative in the Union.
Section 2 of Article 27 goes on to give exceptions for when a representative is not needed:
Point (a) is quite a mouthful so let's break that down into something more digestible.
A data controller or data processor does not need to designate a representative in the Union if they:
- Process data only occasionally
- Do not process special categories of data on a large scale. These special categories of data include information about:
- Political opinions
- Philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sexual orientation
- Sexual activity
- Do not process personal data related to criminal history
- Handle data that has limited risk potential
If you are complying with the GDPR from outside of the EU, these are the requirements for whether or not you need to designate a representative.
Terms like "occasionally" and "large scale" may seem a little vague, but are not made abundantly clear by the GDPR. We hope for clarification on these terms in the future (how often is occasional?), but for now you'll have to use common sense and your best judgement. If you are truly unsure, err on the safe side and appoint an EU representative.
Section 3 of Article 27 states that the representative must be located in one of the EU member states where personal information is collected or processed from data subjects.
For example, if you process the personal data of residents of the UK, Italy, and France, your EU Member State Representative must be located in one of those countries. Your representative could not be located in Germany, because even though Germany is part of the EU, you do not have data subjects who reside there.
Section 4 of Article 27 requires that the designated EU Member State Representative be included as a contact for supervisory authorities and data subjects should they have any questions or concerns regarding data processing or GDPR compliance.
As the local representative for your company, he or she is a much more convenient point of contact.
The above guidelines make up the core of the GDPR's requirement involving EU Member State Representatives.
Article 35 discusses data protection impact assessments where it mentions that in some cases data controllers should look to their data subjects or EU reps for input. This is notable because it highlights another important function of EU Member State Representatives: opinions and knowledge of the market.
This could be vital where companies located outside of a given country are unfamiliar with cultural or social norms in that regions. Instances of communication difficulty due to language barriers or other factors could lead to misunderstandings that might potentially interfere with GDPR compliance or other business operations.
Your EU Member State Representative not only represents your company to the local market, but also represents the local market to your company.
EU Member State Representatives
As covered in Article 27, an EU Member State Representative is a designated contact point and intermediary between data subjects, supervisory authorities, and the company that he or she represents.
While the duties of this position are not clearly defined, we can deduce that this individual's role is to ease communications between the foreign company and the data subjects and authorities in the EU. A local contact may be crucial for time-sensitive matters and matters involving local laws, customs, or social habits.
While the role of an EU Member State Representative is to assist in matters of compliance with the GDPR, this role is not the same as a Data Protection Officer.
Though similar, and perhaps combinable, it is important to be aware of this distinction and know that neither role supersedes the other.
Data Protection Officers
The guidelines for Data Protection Officers can be found in Articles 37-39.
Section 1 of Article 37 explains when a Data Protection Officer must be appointed. The situations when a Data Protection Officer should be appointed are as follows:
It is important to note that point (a) of Article 37, Section 1 is the opposite of point (b) of Article 27, Section 2. That is, EU Member State Representatives are not required for public authorities, but Data Protection Officers are required by public authorities who process personal data.
This is just one of many important distinctions between these two deceivingly similar roles.
Article 37 goes on to say that multiple entities or branches can share a single Data Protection Officer so long as he has sufficient access to each. It also states that Data Protection Officers should be chosen based on qualifications and expertise about the GDPR and privacy law. It clarifies that a Data Protection Officer may have other roles within the organization they work for.
Similar to an EU Member State Representative, Article 37 ends by stating that that contact information of the Data Protection Officer should be published and made available for data subjects and authorities in case questions or concerns regarding GDPR compliance arise.
Article 39 discusses the duties of Data Protection Officers and Article 38 covers the the responsibilities of data controllers regarding their DPOs.
We see many similarities here between what is required of Data Protection Officers and what is required of EU Member State Representatives, but there are also some important differences, primarily the purpose of the position.
We can infer that Data Protection Officers are expected to be experts and authorities in the field of privacy law while EU Member State Representatives are representatives of your organization.
Do I need both an EU Representative and a Data Protection Officer?
It is possible that your company or organization could require both an EU Member State Representative and a Data Protection Officer.
Let's review the conditions for each to see if you require one or both:
EU Member State Representative requirements
An EU Member State Representative must be appointed where the following occurs:
- A data controller or data processor is located outside of the EU; and
- That data controller or data processor regularly collects or processes the personal information of users within the EU; or
- That data controller or data processor processes special categories of data on a large scale; or
- That data controller or data processor processes personal information related to criminal history
If these conditions are met then an EU Member State Representative must be designated.
Data Protection Officer requirements
A Data Protection Officer must be appointed where any one of the following occurs:
- A public authority processes personal information
- A data controller or data processor regularly or systematically monitors personal data on a large scale
- A data controller or processor handles special categories of personal data on a large scale
- A data controller or processor handles personal information relating to criminal history
If any of these conditions are met, a Data Protection Officer needs to be appointed.
Could one person do both?
As you can see, there are many similarities between the requirements for these two roles. Extra protections for special categories of data and criminal histories are given in both cases, as well as distinctions between occasional vs. regular and large scale vs. small scale data processing.
However, the purposes and duties of these roles are not the same.
It is very possible that your company or organization could require both an EU Member State Representative and a Data Protection Officer.
For this to happen, you would need to be located outside of the EU and process or monitor a large amount of data or special kind of data on a regular basis. These conditions would be sufficient to require that both an EU Member State Representative and Data Protection Officer be appointed.
Article 37 states that a Data Protection Officer may have other duties in addition to his or her duty as a DPO. This could potentially mean that a single individual could serve as both an EU Member State Representative and Data Protection Officer.
However, this individual would have to be a resident of the EU while your company or organization would likely be located outside of the EU. This would probably contradict the requirement for a Data Protection Officer to have easy access to the company for which he or she works.
There is no mention of this being possible or forbidden, but it is probably not recommended to have your Data Protection Officer be located in another country.
The requirements for needing to appoint an EU Member State Representative make a lot of sense once you understand them. Unfortunately, the crux for comprehensive laws such as the GDPR will always be clarity and ease of understanding. When we break down the clauses and paragraphs into more easily understood statements, it is a simpler task to comprehend the requirements and see why they are there, and if they apply to your case.
If you are located outside of the EU but regularly process the personal information of residents of the EU, you should appoint an EU Member State Representative.
If you handle special categories of data such as those listed in Article 9 or data related to criminal histories of residents of the EU, then you should appoint an EU Member State Representative.
If you collect or process valuable personal information of residents of the EU that could put the rights or freedoms of those data subjects at risk, then you should appoint an EU Member State Representative.
You may need to appoint a Data Protection Officer in addition to your EU Member State Representative. You may only need one or the other, or you may not need either.
If that is the case, you may still want to consider the value of appointing someone to these positions even though it is not legally required at this time. If you plan on expanding, if your data handling procedures could change, or if you want the benefits of having someone appointed to these roles, there is certainly no harm in appointing them now.