What is a GDPR Representative and why does it matter to you?
Article 27 of the General Data Protection Regulation (GDPR) requires that any business not based in the EU that holds data on anyone in the EU, must appoint a representative in the EU for GDPR purposes.
Therefore, if you are a business that does not have a physical presence in the EU, but you hold data on anyone in the EU, e.g. you have customers or prospects for your business in the EU, you must appoint a GDPR representative in the EU for your business.
What does the GDPR Representative do?
The GDPR Representative’s role is to act as point of contact in the EU for your business for any people in the EU on behalf of whom you hold data (called data subjects) and for data protection regulators in the EU. The idea being that EU based data subjects are entitled to have their data protection affairs handled in the EU via parties that are amenable to EU law.
Your representative will be the person whom data subjects will contact if they wish to exercise their rights pursuant to the GDPR. Your representative will also be the first person the regulators will contact if they receive a complaint from someone in relation to your business. Similarly, if you encounter a data protection issue in your business, say for instance you experience a data breach that needs to be notified to the regulator, your local representative is the person to make this notification on your behalf.
If I have appointed a Data Protection Officer do I still have to appoint a Representative?
A GDPR Representative for the purposes of Article 27 is different from a Data Protection Officer (DPO) and the two roles are distinct. If you are required to appoint a DPO for your business and you have done so, this may not fulfil your obligations pursuant to Article 27. Unless your DPO is also based in the EU and designated as your representative there on your behalf in writing, you will also need to appoint a representative separately from the DPO. In reality, if you are outside the EU, your representative will act as your liaison between your DPO and data subjects and regulators in the EU.