Article 27 of the GDPR requires an EU representative be appointed by companies under certain circumstances. Surprisingly, this even applies when no goods, services or money are involved. The only requirement is that data about an individual is being processed. So, the question you’re probably asking is, do I need an EU representative? Or maybe… what is an EU representative?
What Is An EU Representative?
In a nutshell, an EU authorized representative is a person (located) in an EU member state, designated by a data controller or processor to act on its behalf for matters pertaining to its obligations under the GDPR. Basically, this personal is the contact for regulators should the need arise. While having a GDPR representative is not required in all cases, it can prove prudent when having one or not is in question.
Some Key Considerations:
- Is your processing regular or occasional?
- Is it a small amount of data or on a large scale?
- Does the data qualify as special category data as defined in GDPR Article 9 or Article 10?
- Does the data processing involve the tracking or monitoring of behavior?
What Happens If You Don’t Appoint An EU Representative?
Some in our industry have noted the importance of this requirement. Tim Bell, in a recent post on IAAP.org calls it the ‘hidden obligation’ and rightfully so. On 12May, data protection authorities (DPAs) in the Netherlands fined LocateFamily.com €525,000 euros ($639,515 USD) for failing to appoint an EU representative (GDPR Article 27). This fine was accompanied by another €20,000 euro per day fine until an EU rep is appointed. While this is not a small fine, the GDPR allows a penalty up to €10,000,000 euros for this violation. For many reasons, this is significant but most notably, this is the first time Article 27 has really been enforced. While larger companies have privacy teams or lawyers, many smaller companies do not. Without establishment in the EU, a representative is needed and many companies either don’t know or wrongly assume that the exemptions apply to their situation when they may not. This is potentially a devastating circumstance for a smaller company to find itself in (not a great look for larger ones, either) and one that is easily avoided.
Understanding Article 27 Risks
With enforcement stepping up and data privacy awareness doing the same, what should a company without establishment in the EU do? Some elect to hire consultants or law firms in the EU to help build out their privacy program and others hire firms that offer EU representation as a standalone service. Like most things, a risk-based approach is what is called for and we must all be very deliberate about where we put resources. This is one that can easily slip by as a risk worth accepting vs. mitigating. When your company considers a potential downside of more than 12.1 million dollars vs. contracting a rep for as little as a few hundred dollars, mitigating this risk is the only sensible thing to do. The hard part is knowing you’re taking the risk to begin with. Article 27 leaves considerable room for interpretation with wording like “occasional” or “does not include on a large scale.”
Conclusion
So, what are your options, really? Try to live up to the letter of the law of every regulation in every jurisdiction where you do business? That sounds an awful lot like boiling the ocean. When considering what action or inaction will bring fines and reputational damage vs. what can wait and be planned for is absolutely key. At least for the question of EU representation, maybe the best place to start is by answering the four questions above.