A GDPR representative is a special type of organisation prescribed by Art 27 of the EU Privacy Law, known as GDPR, whose role is to allow EU based people (usually your EU customers and the EU regulators) who want to communicate with your business about a privacy related matter under GDPR to do so.
The GDPR representative must facilitate those communications to and from EU based people and your business, although it is quite lawful for people to contact you directly as well, or instead of, going via your EU representative.
The representative must be based in an EU country.
Your business will need a GDPR representative if:
Public bodies who are subject to GDPR do not need to appoint a representative.
GDPR, by law, applies to any business (irrespective of size) if any one of the following apply:
The word "presence" is not defined in GDPR, and will be decided by the courts based on all the circumstances at the time, but it is likely to include:
Other guiding factors will be whether or not the business has a bank account in the EU, whether the business has other physical infrastructure, such as servers, in the EU, and whether the business has a "Permanent Establishment" for tax purposes in the EU.
The word "occasional" is not defined in GDPR, but repetitive processing, such as processing a payroll, is unlikely to be "occasional", and businesses running website analytics on persons in the EU is highly unlikely to be "occasional".
Non compliance with Article 27 exposes business to significant administrative fines. A business which fails to appoint a nominated GDPR representative when required to do so faces a potential fine of up to €10 million euros or 2% of global annual turnover, whichever is greater.
If your business has no presence in the EU and offer goods and services to individuals in the EU, or monitors the behaviour of individuals in the EU then GDPR applies to your business and you should appoint a GDPR Representative.
As each legal entity is viewed separately, and must comply separately, if there is a number of companies in the same group of companies, or there is a franchise with each franchisee being a separate legal entity, then it is necessary to apply the test to each separate legal entity in that group or franchise.
This may mean that in a group of companies all the subsidiaries or entities that are outside the EU each need a GDPR representative or that the franchisor and each franchisee outside the EU will each need a GDPR representative.
There are a number of important consequences of the UK leaving the EU on the role of the GDPR Representative. Including:
See our article on Brexit and Article 27 Representatives for additional details.
It is relatively easy to comply with both EU GDPR and UK GDPR representative requirements. By appointing and maintaining both an EU and a UK representative you will be compliant in both jurisdictions.
We are happy to act on your behalf, as your GDPR representative. Our monthly, flat-fee price is based on the size of your business.
Select your business size to appoint us as your GDPR representative in the EU & UK today.