GDPR Representative in the EU article 27 GDPR designation

It is mandatory to appoint a GDPR representative only in certain cases. The General Data Protection Regulation (GDPR) specifies the general principle according to which companies which are not present on the territory of the European Union (directly or indirectly, in particular via a subsidiary, branch, representative office or other form of establishment) and which, on the other hand, target individuals in the European Union (by offering them goods or services) or which monitor the behavior of the latter, must appoint a representative.

The GDPR clearly provides the scope of the mission of the GDPR Representative in the EU and his obligations: the representative is the point of contact for the supervisory authorities (the CNIL in France) as well as for the persons concerned wishing to exercise their rights, in addition he keeps register of all the processing operations on personal data carried out in the territory of the EU.

The question of the responsibility of the GDPR representative is of course often addressed on the basis of the Regulation, but it is important to remember that other sources specify the extent of his responsibility. Beyond the obligations of the GDPR, the representative is engaged in a contractual relationship vis-à-vis his client in the form of a mandate. The representation service is not limited to a simple declaration to the CNIL, the scope of the mission and the responsibilities must be specified in writing in a mandate, in order to clarify the obligations of the principal (the representative) and of his agent. (the customer).

It is necessary to dispel a recurring ambiguity concerning the responsibility of the GDPR representative: the Representative is not intended to play the role of firewall for his client, in the event of a breach involving the responsibility of the client, the latter cannot systematically take refuge behind the mandate of representation and the responsibility of his representative.

“The appointment of a representative […] is without prejudice to legal actions that could be brought against the data controller or the processor himself ”.

Thus, in the event of a security breach involving the liability of a data controller or a subcontractor established outside the EU, a supervisory authority such as the CNIL will first turn to the authorized representative, who assumes his mission as a point of contact with the authority. In a second step, the authority will seek to establish the sharing of any responsibilities between the principal and his agent, in particular in the light of the legal obligations of the representative but also of the obligations provided for in the mandate.

Respect for the principles of transparency and reciprocal collaboration between the two parties will be taken into account to assess each party’s responsibility. For example, the representative has a legal obligation to keep a register of his client’s activities, however if the CNIL finds a serious breach such as the omission of a processing sheet deemed to be essential in the register, it will investigate whether the processing in question has been transparently brought to the attention of the representative or if this processing activity has been concealed from him.

Regarding the mandate of representative article 27 of the GDPR, it is advisable to include the following information: the identity of the parties and their capacity as principal or agent, if the client acts as data controller and/or subcontractor, duration of the mandate, information relating to the scope of the mission and reminder of the legal obligations of the representative (contact point for the CNIL, contact point for the persons concerned wishing to exercise their rights, keeping of the register of activities according to the information provided by the client), remuneration for the GDPR representation service (see the answer given to the question “price of a GDPR representative service in the European Union?”), reminder on the distribution of the responsibilities of the parties in the event of a dispute, mention of the Representative’s general conditions of service.

The GDPR representative cannot be DPO of the same entity, the incompatibility is justified by the existence of a conflict of interest between the two functions. On the other hand, it is quite possible for a compliance professional to offer services of DPO as well as GDPR Representative for separate entities when any risk of conflict of interest is ruled out.

The cost of the GDPR representative service for a foreign company can take into account several methods of calculation: start-up costs such as file opening fees , monthly or annual recurring fees for the designation with the CNIL, then depending on the services performed (maintenance of the register, response to the persons concerned, etc.) remuneration (lump sum or according to an hourly rate). On the other hand, the risk exposure of the company is often taken into account in the calculation of the remuneration of the representative. The criteria used to assess this risk are generally the size of the company (according to the number of employees, the number of subsidiaries, the countries covered), the type of data processed (presence of particularly sensitive data categories) according to of the sector of activity (for example concerning the health sector), the number of data subjects likely to exercise their rights.

First of all you have to make sure, as for the choice of your DPO, that your GDPR representative is an expert in GDPR compliance. His mission implies an in-depth knowledge of the regulations, he represents you before the supervisory authority and manages the requests of the persons concerned by your processing. The mission of the representative is therefore not simply administrative, in the event of an inspection by the CNIL or even a dispute, the answers provided by the latter often prove to be decisive on the progress and the outcome of the procedures initiated against your company. Also remember that if your representative cannot be your DPO at the same time, he can still give you valuable advice. Of course the availability of the GDPR representative is an important criterion, as with any mandate, communication must be simple and quick. In the same vein, it is necessary to ensure the procedures for exchanging information, for example verifying that the data processing sheets can easily be updated, that the management of notifications and requests from the persons concerned are technically mastered . The GDPR representative must be able to provide his insurance certificate covering his activity as “RGPD representative article 27 of the GDPR” (not only DPO). This list of selection criteria for your GDPR Representative is not exhaustive.

Not necessarily. A group of companies can designate a single GDPR representative in the EU as long as that representative can effectively liaise with and be accountable to all relevant data protection authorities on behalf of each entity within the group. The key is that the representative should be capable of handling all GDPR-related tasks for all the entities it represents.

The procedure involves two main steps. First, the non-EU organization should sign a formal written agreement with the person or organization appointed as the GDPR representative. This agreement should outline the responsibilities of the representative, which include liaising with supervisory authorities and data subjects. Second, the non-EU organization should update its privacy policy to include the contact details of the GDPR representative.

A GDPR representative can be an individual, a company, or an organization based in the EU. They should have a strong understanding of GDPR and be capable of liaising with both the organization they represent and the relevant European authorities.

No, according to Article 27 of the GDPR, the representative must be located in the EU. This is to ensure that data subjects and supervisory authorities in the EU have a local contact point.

Yes, failure to appoint a GDPR representative can result in administrative fines of up to €10 million, or 2% of the company’s global annual turnover, whichever is higher.

No, not all non-EU companies need a GDPR representative. Companies are exempt if their data processing is occasional, does not include large-scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of natural persons.

The timeline can vary, but once a non-EU organization finds an individual or organization willing to act as their GDPR representative, the appointment process can be completed relatively quickly. The written agreement can be signed and the privacy policy updated within a few days.

Yes, but it’s usually more efficient to have a single representative for all EU operations, especially if your business operates in multiple EU countries. The representative should be located in one of the countries where the data subjects are based.

The GDPR representative is not directly responsible for the organization’s GDPR compliance. The organization itself retains this responsibility. However, the representative does play a crucial role in facilitating GDPR compliance and liaising with supervisory authorities and data subjects.

Companies not established in the EU that offer goods or services to, or monitor the behavior of, EU data subjects, typically need a GDPR representative. These can include e-commerce platforms, software services, marketing companies, and many more.

Yes, a non-EU company can change its GDPR representative at any time. However, it must inform the relevant data protection authorities and update its privacy policy to reflect the change.