EEA Representation Post Brexit

By Philip MatherOpinion

Do I need an EEA Representative?

One of the most overlooked areas of the General Data Protection Regulation seems to be that of EEA Representation. If you are a non-EU business and don’t know what we are talking about then we prove point.

Why is this Important to UK Businesses Now?

Fundamentally at some point will cease to be part of the EU and therefore the EEA, and will not be able to benefit from the blanket GDPR rulings for personal data remaining with the EU. We will become a 3rd Country and barring any transitional agreements will be seeking an adequacy ruling for personal data transfers. However, BEWARE even with an adequacy ruling the EEA representative rules will still apply

What is an EEA Representative?

GDPR Definition:

(17) ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

So, in effect someone or some entity who is able to ‘represent’ your organisation within the EEA. The GDPR goes on to say that you MUST reveal the identity of your repetitive to the data subjects and the relevant supervisory authority when requested to do so (in Record of Processing)

Section 2: Article 13 – Information to be provided

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

  Article 27 of the GDPR sets out the specific requirements, see below however it is one of the least obvious articles in the GDPR and hence if you continue reading, we will unravel the mystery.

Article 27 Representatives of controllers or processors not established in the Union

  1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union/
  2. This obligation shall not apply to:
    1. processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
    2. a public authority or body.
  1. The representative shall be established in one of those Member States where the data subjects are and whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored.
  2. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
  3. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

Dissecting Article 27

First of all, we need to address point 1 which says
      1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
So what is Article 3(2) and does it apply.

Article 3 defines the Territorial Scope of the GDPR and article (3(2) says this:

      1. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Put simply:
      • are you (your organisation) offering goods or services to data subject who are in the Union?
or
      • are you monitoring the behaviour of data subjects in the Union – remember this only applies to monitoring of anything that takes place in the Union?
If you can answer NO to both the above then you can say that Article 3(2) does not apply and therefore you do not require an EEA Representative.

What about clause 2 in Article 27?

      1. This obligation shall not apply to:
        1. processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
        2. a public authority or body.
2(b) is quite simple, if you are a public authority or body this requirement does not apply. When else does this clause not apply, i.e. what about 2(a)? This is little harder to understand and we need to break down the grammatic rules of English to properly figure out the logic.
      1. processing which is occasional
      2. processing which does not include, on a large scale, processing of special categories of data as referred to in Article 9(1)
      3. processing which does not include processing of personal data relating to convictions and offences referred to in Article 10
This is caveated by the and at the bottom therefore IF the processing is NOT occasional or you are processing special category data (not classified as large scale) you would be required to have a named representative unless you can demonstrate that the processing:

 “is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing;

 In essence, a small amount of occasional processing is generally not going to be considered enough to require and EEA representative.

Conclusion

If your business looks like it is going to need some kind of EEA representative you should already be looking for services.

But hold on…

I am an EU company providing services to the UK will I need a UK Representative? Read “UK Representation for EU and Non UK Organisations” (to be posted 28 November 2019)

Contact us

If you would like to know more about how GDPR Auditing can help your organisation with PCI DSS or GDPR then please contact us at info@gdprauditing.com or visit our contacts page. The information provided in this post is for general information only and is not intended to provide legal advice.
This image has an empty alt attribute; its file name is GDPR-Auditing-Registered.png
© GDPR Auditing 2019.