NEWS

Data Protection News for Brexit I: the EU Representative According to Article 27 GDPR

As a result of the current Brexit developments and the resulting EU-UK agreement, we are taking our clients' enquiries as an opportunity to inform you about the relevant new requirements. In the coming weeks, we will highlight the most important changes in data protection that businesses must now be aware of. Today's spotlight: the EU Representative according to Article 27 GDPR.


British businesses in particular will be strongly affected by the dynamic developments. The United Kingdom is expected to assume the rank of an EU third country as of May 2021. From that point on, the EU will no longer classify the United Kingdom's level of data protection as equal. The transfer of personal data from the continent to the United Kingdom will require special justification in this case. Although the United Kingdom is seeking a renewed recognition of its level of data protection (by means of an adequacy decision by the EU Commission) in order to continue to ensure the smooth flow of data, the timing of such a decision is as yet uncertain. Therefore, in the meantime, further formal requirements (e.g. informing data subjects in the case of data transfers to the United Kingdom) will become relevant for EU businesses and those based in the United Kingdom.

One of the new formal requirements of the GDPR is that UK businesses must appoint an EU Representative after the transition period (according to Article 27 GDPR). Since the GDPR always applies to the processing of personal data of persons residing in the EU, processing businesses whose place of business is not located within the EU can also be sanctioned with severe fines in the event of a violation.

Since last year, we have been eagerly observing the changes surrounding Brexit for you. To ensure that the implementation of these compliance requirements runs smoothly, we will be happy to support you with your questions. British businesses should prepare early – now! – for the appointment of an EU Representative.

 

You can check here if you need to designate an EU Representative:

Check now

 

Does your business need an EU Representative?

  • Does your business offer goods or services to persons located in the European Union?
  • Does your business monitor or observe the behaviour of people in the EU?

If your business does not have a branch office in the EU and you have answered "yes" to one or both of the questions, you are required to designate an EU Representative for your business.

Exception:
If in your business the processing of personal data is only occasional and unlikely to present a risk to the rights and freedoms of natural persons. Does this exception apply to your business? Our data protection experts will be happy to advise you.

 

What are the tasks of the EU Representative?

The Representative shall be designated by the Controller (management of the business) or the Processor (e.g. service provider). In particular, he or she shall serve as a contact point and contact person for supervisory authorities and data subjects. The EU Representative thus represents the link between them and the data processing business established in a third country.

 

How does the EU representative differ from the Data Protection Officer?

An EU Representative is not the same as the Data Protection Officer. Both have different tasks and duties: A Data Protection Officer advises the business comprehensively on data protection issues, is not subject to instructions and is supposed to promote the compliance culture within the Controller's organisation. The EU Representative is merely a point of contact, subject to the instructions of the Controller. He is available for enquiries and complaints and can document processing activities and processing orders but has no other active tasks beyond that.

 

Who can you designate as EU Representative?

The designated EU Representative must be located in one of the EU Member States where the processing takes place. He must be a natural or legal person designated in writing by the Controller or Processor.

As the Representative is required to communicate with authorities and data subjects on a wide range of issues, it is an advantage if he or she has expertise regarding the GDPR and other data protection regulations. In addition, your Representative should ideally have a good understanding of your business processes and structures – for what and how your business uses data. The Representative ideally has professional experience in working with authorities in the areas of data protection (law) and compliance.

 

How can you designate an EU Representative?

You must authorise the Representative in writing. The power of attorney should contain the tasks of the Representative. Currently, an appointment with the supervisory authority responsible for you is not required.

However, you must name the Representative in your privacy information (and typically your privacy notice), and in your records of processing activities.

 

How many EU Representatives do you need?

In principle, only one EU Representative is needed.

However, depending on the size of your business and the scope of your data processing, it may make sense to have more than one Representative. Different languages and cultural and legal specificities in each EU Member State may cause additional difficulties.

 

What are the consequences if you do not designate an EU Representative even though you need one?

Failure to comply can result in heavy fines of up to €10 million or up to 2% of its total annual worldwide turnover for the previous financial year, whichever is higher. Furthermore, non-compliance can lead to costly lawsuits in Germany or other EU Member States if you do not take the regulations into account.

 

Our Services

CLARIUS.LEGAL supports your business in complying with applicable data protection regulations.

As your EU Representative, we assume the following responsibilities for you:

  • Cooperation with the supervisory authorities;
  • Appointment of the direct contact person for data subjects and supervisory authorities;
  • Forwarding letters, enquiries, official notices and any fines to the business;
  • Publication of the designation of the EU Representative to the public (upon request);
  • Support with the creation of records of processing activities;
  • Maintenance of records of processing activities;
  • Documentation of order processing;
  • Creation of templates for privacy policies, information sheets and other formal documents;
  • Provision of initial information on legal issues relating to the GDPR or the data protection laws of the Member States.


We not only answer your questions regarding the designation of an EU Representative, but also offer you comprehensive data protection consultation. We are also happy to act as your external Data Protection Officer

For further information and a concrete quote, please contact the CLARIUS.LEGAL team at clarius@clarius.legal or at +49 40 257 660 975.