Datadiem is your GDPR Representative in the European Union.
Datadiem provides a GDPR Representative in the EU service in accordance with Article 27 of the GDPR . It only takes a short time to contact us and comply with your obligation.
You benefit from our expertise and our tools with no commitment in time . Our goal is to support you in developing your business and entering the European market in accordance with the legislation on the protection of personal data.
Why choose Datadiem as GDPR Representative?
Questions and answers relating to the appointment of a GDPR representative in the EU?
It is mandatory to appoint a GDPR representative only in certain cases. The General Data Protection Regulation (GDPR) specifies the general principle according to which companies which are not present on the territory of the European Union (directly or indirectly, in particular via a subsidiary, branch, representative office or other form of establishment) and which, on the other hand, target individuals in the European Union (by offering them goods or services) or which monitor the behavior of the latter, must appoint a representative.
The GDPR clearly provides the scope of the mission of the GDPR Representative in the EU and his obligations: the representative is the point of contact for the supervisory authorities (the CNIL in France) as well as for the persons concerned wishing to exercise their rights, in addition he keeps register of all the processing operations on personal data carried out in the territory of the EU.
The question of the responsibility of the GDPR representative is of course often addressed on the basis of the Regulation, but it is important to remember that other sources specify the extent of his responsibility. Beyond the obligations of the GDPR, the representative is engaged in a contractual relationship vis-à-vis his client in the form of a mandate. The representation service is not limited to a simple declaration to the CNIL, the scope of the mission and the responsibilities must be specified in writing in a mandate, in order to clarify the obligations of the principal (the representative) and of his agent. (the customer).
It is necessary to dispel a recurring ambiguity concerning the responsibility of the GDPR representative: the Representative is not intended to play the role of firewall for his client, in the event of a breach involving the responsibility of the client, the latter cannot systematically take refuge behind the mandate of representation and the responsibility of his representative.
“The appointment of a representative […] is without prejudice to legal actions that could be brought against the data controller or the processor himself ”.
Thus, in the event of a security breach involving the liability of a data controller or a subcontractor established outside the EU, a supervisory authority such as the CNIL will first turn to the authorized representative, who assumes his mission as a point of contact with the authority. In a second step, the authority will seek to establish the sharing of any responsibilities between the principal and his agent, in particular in the light of the legal obligations of the representative but also of the obligations provided for in the mandate.
Respect for the principles of transparency and reciprocal collaboration between the two parties will be taken into account to assess each party’s responsibility. For example, the representative has a legal obligation to keep a register of his client’s activities, however if the CNIL finds a serious breach such as the omission of a processing sheet deemed to be essential in the register, it will investigate whether the processing in question has been transparently brought to the attention of the representative or if this processing activity has been concealed from him.
Regarding the mandate of representative article 27 of the GDPR, it is advisable to include the following information: the identity of the parties and their capacity as principal or agent, if the client acts as data controller and/or subcontractor, duration of the mandate, information relating to the scope of the mission and reminder of the legal obligations of the representative (contact point for the CNIL, contact point for the persons concerned wishing to exercise their rights, keeping of the register of activities according to the information provided by the client), remuneration for the GDPR representation service (see the answer given to the question “price of a GDPR representative service in the European Union?”), reminder on the distribution of the responsibilities of the parties in the event of a dispute, mention of the Representative’s general conditions of service.
The GDPR representative cannot be DPO of the same entity, the incompatibility is justified by the existence of a conflict of interest between the two functions. On the other hand, it is quite possible for a compliance professional to offer services of DPO as well as GDPR Representative for separate entities when any risk of conflict of interest is ruled out.
The cost of the GDPR representative service for a foreign company can take into account several methods of calculation: start-up costs such as file opening fees , monthly or annual recurring fees for the designation with the CNIL, then depending on the services performed (maintenance of the register, response to the persons concerned, etc.) remuneration (lump sum or according to an hourly rate). On the other hand, the risk exposure of the company is often taken into account in the calculation of the remuneration of the representative. The criteria used to assess this risk are generally the size of the company (according to the number of employees, the number of subsidiaries, the countries covered), the type of data processed (presence of particularly sensitive data categories) according to of the sector of activity (for example concerning the health sector), the number of data subjects likely to exercise their rights.
First of all you have to make sure, as for the choice of your DPO, that your GDPR representative is an expert in GDPR compliance. His mission implies an in-depth knowledge of the regulations, he represents you before the supervisory authority and manages the requests of the persons concerned by your processing. The mission of the representative is therefore not simply administrative, in the event of an inspection by the CNIL or even a dispute, the answers provided by the latter often prove to be decisive on the progress and the outcome of the procedures initiated against your company. Also remember that if your representative cannot be your DPO at the same time, he can still give you valuable advice. Of course the availability of the GDPR representative is an important criterion, as with any mandate, communication must be simple and quick. In the same vein, it is necessary to ensure the procedures for exchanging information, for example verifying that the data processing sheets can easily be updated, that the management of notifications and requests from the persons concerned are technically mastered . The GDPR representative must be able to provide his insurance certificate covering his activity as “RGPD representative article 27 of the GDPR” (not only DPO). This list of selection criteria for your GDPR Representative is not exhaustive.