Should you now have an EEA Representative?
An overlooked obligation
In the run up to the end of the Brexit transition period on 1 January 2021 much of the focus from a data protection perspective was on how to keep data flowing freely between the European Economic Area (“EEA”) and the UK. The Trade and Cooperation Agreement concluded on 24 December 2020 provided a welcome, albeit temporary, solution by introducing a “bridging mechanism”. This interim measure provides that transfers of personal data from the EEA to the UK will not be considered a transfer to a third country for a “specified period” of up to six months i.e. the end of June 2021, whilst we await an adequacy decision from the European Commission. In the short term this means businesses in the UK can continue to transfer data from the EEA without the need to put in place additional measures such as standard contractual clauses (“SCCs”).
However, the reprieve granted by the bridging mechanism and the focus on adequacy appears to have obscured one of the key obligations of GDPR, namely the requirement under Article 27 that companies which are not established in the EEA but who monitor or process the personal data of people within the EEA, must appoint an EEA based representative. This obligation will remain in place irrespective of any decision on adequacy.
Who needs to appoint an EEA representative?
You will need to appoint an EEA representative if you are a UK based company with no offices, branches or other establishments in the EEA; but you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA.
You will not need to appoint a representative if you are a public authority; or your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.
Failure to appoint a representative could result in an administrative fine of up to €10 million or 2% of your total worldwide annual turnover – whichever is higher.
Who can act as a representative?
Your representative can be an individual, a company or organisation established in the EEA, and must be able to represent you regarding your obligations under the EU GDPR. For example a law firm, consultancy or private company can act as a representative.
You should enter into a written mandate with your representative e.g. via a service contract.
Details of your representative should be provided to EEA-based individuals whose personal data you are processing. You can fulfil this requirement by including details of your representative in your privacy notice or by including it in the upfront information you give individuals when you collect their data. You must also make it easily accessible to supervisory authorities e.g. by publishing it on your website.
What are the obligations of a representative?
The primary function of a representative is to act as a point of contact between your organisation and the EEA based data subjects as well as facilitating co-operation between you and the relevant supervisory authority. Representatives are also required to maintain a record of processing activities under Article 30. Guidance suggests that maintenance of this record is a joint obligation and that the appointing controller / processor must provide its representative with accurate and updated information so that the record can be maintained and made available by the representative.
It is important to note that appointing an EEA representative does not affect your own liability under EU GDPR.
The European Data Protection Board (“EDPB”) has issued guidance to the effect that "The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union". Supervisory Authorities can "initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union" by addressing notices etc. to them, but not "to hold a representative directly liable". It therefore appears that representatives are directly liable only in respect of keeping a record of processing activities pursuant to Article 30 and in respect of providing information to supervisory authorities when ordered to do so pursuant to Article 58(1).
*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.