Which businesses need a GDPR Representative?
Under Article 27 of the European Union General Data Protection Regulation (GDPR) your business must appoint a “Representative” in the EU if:
A Public body does not need to appoint a GDPR Representative. If you decide you don’t meet the criteria for needing a Representative you must document this fact, and the reasons this decision was made – in order to comply with the record-keeping obligations under Article 30.
Are there any exemptions?
Yes, according to Article 27 a controller or processor does not need to appoint a “representative” if:
Note: “Occasional” is not defined in GDPR, but repetitive processing, such as payroll, is unlikely to be “occasional” and businesses running website analytics on persons in the EU is highly unlikely to be “occasional”.
If my company is part of a group of companies do I need to appoint a separate Representative for each entity?
Yes. Each separate legal entity in the group of companies must separately appoint a GDPR Representative. Each entity can appoint Juksta separately. If you have a large group of companies please contact us for special rates for group companies.
What are the Representative responsibilities?
By you appointing Juksta as your representative we are required to enable your customers/data subjects and relevant supervisory authorities to communicate with you via us. We enable the communication via our Representative Portal for all online communications. Any postal or fax communications can be sent to our office in Ireland and we will scan them into our Representative Portal so that they are instantly available to you. Your customers/data subjects, supervisory authorities and others may also contact you directly, and you may respond to them directly. You must make our representative service available, but it is not against the law if it is not used. The Representative must also co-operate with the supervisory authorities.
Can my DPO be my Representative?
No. The roles and functions of a DPO and a Representative are different. The European Data Protection Board (EDPB) has expressly stated that it considers the role of a Representative to be incompatible with the role of the DPO. The DPO’s role is to exercise their duties and tasks in an “independent manner”, whereas a representative must act only in accordance with the written instruction of the company. The EDPB also considers the two roles to have potential conflicts of interest.
What are the penalities of non-compliance?
Under Article 3 of the GDPR, Territorial scope of the legislation specifically includes processing of personal data of EU data subjects by organisations who reside outside the EU. Penalities for not complying with the requirement to appoint a GDPR representative can be up to 2% of the businesses annual worldwide revenue or $10,000,000 Euros, whichever is the greater.
Penalites may be enforced by supervisory authorities, and/or you maybe liable for civil claims arising from your breaches of GDPR.
How should I choose a Representative?
You should choose a Representative who:
Can you be my Representative?
Yes, upon completion of registration your GRPR Representative will be Juksta GDPR Representative Limited, an Ireland based company.
Juksta GDPR Representative Limited is part of the Juksta group of companies, with a presence in Ireland and Australia.
How do I appoint you as my Representative?
Simply select a plan and register an account. You appoint us as your GDPR Representative as part of the sign up process.
Can you tell me more about you?
We are made up of a group of legal experts and IT specialists. Our senior lawyers and privacy experts have over 25 years experience specialising in information technology contracts, business law and regulatory compliance. Our senior IT specialists have over 20 years experience in software development, product management and information security.
What are my payment options?
Payment can be made by credit card, with all prices in Euros. The Juksta GDPR Representative service is a monthly subscription. Your monthly subscription fee is automatically billed against your choice of payment and an invoice/receipt provided.
How do data subjects contact me online?
Web based requests can be made by your clients, data subjects or supervisory authorities via your unique Customer Care portal, which is setup on registration. You are provided with a URL and HTML code, which you can add to your contact information. Notifications received via the portal are automatically queued in your Notification Management Portal and you will be notified via email and/or SMS.
Can I receive requests by mail or fax?
Yes, requests made by post or fax to your GDPR representatives address in Ireland are scanned and added to your Notification Management Portal. You are also notified of these requests via email and/or SMS.
How do I respond to requests?
Requests are managed via your Notification Management Portal. From here you can review requests and action them to provide information to the data subject or supervisory authority.
Do you help me with my response to a request?
No, Represent is an application designed to facilitate the request process and enable you to respond in a manner that meets your record keeping requirements. You are solely responsible for dealing with the request, identifying the requestor, providing any response and all other aspects of the request.
Does this mean you are a data processor?
Yes. Under GDPR the Representative acts only under the directions of its customer, and so Juksta is the data processor and its customer is the data controller for Representative related processing.
Do I need a processing agreement with you?
Yes, because we are processing data for you, you need a data processing agreement as one of your GDPR obligations. A data processing agreement is entered into as part of the terms and agreements when you sign up. There are no additional actions you need to take.