Many of you have heard about the EU representative, but what it is, still unclear. We tried our best to explain the role of the EU representative. 

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. This law arrived with precise requirements for organizations. 

But, still, there are some mystery elements around the role of the EU Representative that need elaboration. Many are wondering if it has a connection with the position of the Data Protection Officer (DPO). For more information please visit here

As they both stand accountable for safeguarding data subjects’ personal data. But, we can’t say who is more important, as they both pay different duties in an enterprise. 

Companies that are located inside the EU boundaries have under a legal obligation to hire a DPO. However, companies situated outside the EU, but deal with the personal data of EU citizens must hire an EU representative

The GDPR brought strict laws for the organizations that deal with customers’ personal data. Companies become more concerned about their alignment with GDPR requirements that revolve around DPOs and EU Representatives.  

There are many things to discuss and focus on an EU representative. But, the main concerns are 

1) The difference between the DPO and UK EU representative

2) Its Responsibilities

3) Do non-European companies under the boundaries of an EU need an EU high representative?

4) Can a company hire a DPO as a substitute for an EU representative?

A representative’s job description 

The job of an EU representative demands him or her to work for non-EU-based organisations and must be established in the EU. 

The representative serves as a point of contact among the Information Commissioner’s Office (ICO), organisations and last, the data subjects.

Representatives are required to 

• Respond to any queries the ICO or data subjects have concerning data processing.
• Maintain records of the organisation’s data processing activities
• Make data processing records accessible to the ICO.

Different roles of the DPO and an EU Representative

There is a significant difference between the job roles of a UK EU representative and the DPO. If a company, anyhow manages to assign these two tasks to one person, they might end up in a problematic conflict of interest. 

It is integral to know clearly that what the basic functions of each role are:

• A Data Protection Officer (DPO) is hired by EU enterprises to facilitate and assess a company’s compliance with the GDPR provisions.
• The duty of an EU Representative is to represent companies that are not based in the EU about their GDPR obligations.

The job of the DPO is to support an organisation and enable the efforts it makes to maintain its compliance with the GDPR. 

The GDPR provisions secure the DPO from being held liable for any legal action that might be taken by Data Protection Authorities (DPAs) or data subjects.

The EU Representative is a point of contact amid EU authorities, data subjects and the organisation. 

The representative must be established in the EU. Moreover, the requirements say that it should be based in one of the Member States where the data subjects reside for clear channels of communication. 

Whereas, the DPO is a support point for a company in its GDPR compliance efforts. 

Many companies are concerned about how the role of an EU Representative can affect their organisation. 

They should know they can decide the scope of a Representative’s role and authority during the contractual process of delegating a Representative.

Why is an EU Representative crucial for non-European companies with legal EU entities?

In Article 27 of the GDPR, an EU Representative is a lawful requirement for all non-European companies handling the information of the EU data subjects’. But, don’t have a physical presence in any Member States. 

Similarly, the non-European companies with legal entities in EU member states aren’t required to hire a representative. 

Though the EU high representative is not mandatory in such a situation. 

However, companies must understand that in any inquiry or compliance problem, the DPA’s will ask the organisation’s leadership team, in case of no representatives.    

Non-European companies with data subjects in the EU can hire a DPO or a privacy professional to support their compliance efforts, although the GDPR obligations do not allow them to do so. 

For such companies, a DPO is much required as compared to a Representative. Because, these companies will meet more GDPR requirements, as there will be more responsibilities than a representative could fulfil. 

Additionally, it is easier to hire a DPO than to find a willing individual for an EU Representative position, all because of the legal implications. 

Those individuals that agree to fulfil the job of a representative must prepare themselves for any situation related to infringements or for non-compliance consequences. The reason is, as they stand legally responsible and may take actions accordingly. 

On the other hand, the DPOs can be protected from any legal action by the DPAs. 

How about hiring a DPO for the tasks of the EU Representative?

As this subject was quite unclear under the GDPR and more explanation is entailed over this topic. 

The Irish Office of the Data Protection Commissioner (DPC) is the only government entity that has attempted to answer this question.

The statement of DPC was, nothing will happen if an individual will pay double duties or roles. 

But, an organisation must take care that the person handling dual responsibilities must not take on tasks which can end up in a conflict of interest. 

The DPC clearly stated that the conflict might occur, especially when it comes to keeping things confidential. 

An EU representative is a sole point between data subjects, DPA and an organisation. On the contrary, a DPO paying dual responsibilities can feel conflicted while receiving certain concerns from data subjects or the DPA. 

Because they have an obligation to facilitate the organisation’s compliance with the GDPR.

Who should be selected as an EU Representative

Any legal or neutral person, based in the EU member state can be anointed as an EU representative. 

For instance, if your company collects the personal information from the data subject of France, then you must have a France-based EU representative. 

In case, your company collects data from the entire states of EU; you are allowed to appoint a representative in an EU member state.  

Nevertheless, if your company have different countries to select from, the best option is to select the one form which most of the data is collected or conduct more extensive monitoring. 

In the end

The GDPR has not provided clear instructions about the interplay amongst the DPO and EU Representative. 

But, it would be a wise suggestion for many companies to hire two different persons for each role. 

Otherwise, they will experience many unavoidable potential conflicts of interest, and many compliance issues are likely to arise.  

None of these two roles should be avoided. Companies are under a legal obligation to hire individuals for these two roles. 

Each role has its own importance and duties to pay. If those duties are paid accurately and accordingly, a company can save itself from various breaches and fines. 

In the end, both roles are designed to provide assistance for EU companies. 

These roles are also imperative in a company to move securely in a data privacy world, along with huge responsibilities.

Frequently Asked Questions

1) What is an EU representative?

A European Authorised Representative (E.A.R.), a legal person appointed by non-European Union (EU) manufacturers, for representing them in the EU. The EU representatives also make sure about their organisation’s compliance with the European Directives.

2) Who is a controller under GDPR?

A controller defines the means of personal data processing. However, a processor is responsible for processing personal data on behalf of a controller.

3) Does GDPR apply to non-EU citizens?

The whole point of the GDPR is to protect data belonging to EU citizens and residents. ... This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

4) Does GDPR apply to all data?

GDPRPersonal Data

Only if the processing of data concerns personal data, the General Data Protection Regulation applies. The term is defined in Art. 4 (1). Personal data are any information which is related to an identified or identifiable natural person.

5) Can personal data be shared without permission?

In many cases, you can not share personal data unless you contain the explicit consent of the data subject. There are two types of personal data sharing, sharing personal data that is sensitive or confidential and sharing personal data for purposes of marketing.