Video Guides

Flor McCarthy answers your questions about the GDPR and EU Representation.
GDPR White

When is an EU Representative required under GDPR?

An EU representative is required under GDPR in a situation where a person is holding data on behalf of a data subject based in the EU but does not have an establishment in the EU themselves. The person holding the data will have to appoint an EU representative to comply with GDPR.

Click below to watch the video answer to this question.

GDPR Video Link

Who Needs an EU Data Representative?

Any business, located outside of the EU, that doesn’t have a presence in the EU itself, who does business with or holds data on behalf of people who are in the EU, then that business is required to appoint representative.

Click below to watch the video answer to this question.

GDPR Video Link

Where should your EU Data Representative be located?

There needs to be at least one or more data subjects in the EU member state the representative is appointed. Best practice would be to appoint the representative in the member state where most of your data subjects are located.

Click below to watch the video answer to this question.

GDPR Video Link

What is required of an EU representative under the GDPR?

The EU representative is required to be the point of contact for the non EU business in the EU in the event of a GDPR request or complaint. Data subjects can contact the local representative to exercise their GDPR rights.

Click below to watch the video answer to this question.

GDPR Video Link

What’s the difference between an EU Data Representative and a Data Protection Officer?

The EU representative is an external contact that data subjects or supervisory authorities can make contact with locally. The DPO is responsible for ensuring compliance with the GDPR on behalf of the data processor or controller.

Click below to watch the video answer to this question.

GDPR Video Link

Can a DPO fulfill the EU Representative Role?

No – the European Data Protection Board has ruled that there is a conflict of interest between the GDPR representative role and the data protection officer role, under Item 227.

Click below to watch the video answer to this question.

GDPR Video Link

Are EU representatives involved in advising companies on GDPR compliance in any regard?

Although the core function of the EU representative for the business is to be a point of contact for local subjects and supervisory authorities, it may provide additional services around GDPR compliance as they arise.

Click below to watch the video answer to this question.

GDPR Video Link

Do EU representatives just respond to individual inquiries and access requests independently or do they simply forward those inquiries to the business and share the response for the individual?

The EU representative should not do anything without first relaying the request or communication that has been received from the data subject to the data controller or processor.

Click below to watch the video answer to this question.

GDPR Video Link

How does an EU representative engage with EU DPAs on behalf of the business?

The EU representative will do what is required when requested by the DPA and will be the point of contact between the data processor/controller and the local supervisory authorities and ensure the flow of communication.

Click below to watch the video answer to this question.

GDPR Video Link

Is the role of an EU representative, primarily to provide an enforcement hook for EU DPAs and ensure that the company will pay GDPR fines?

No – its primary role is to provide data subjects and supervisory authorities with a source of contact for the non EU based data controller or processor.

Click below to watch the video answer to this question.

GDPR Video Link

What do you need to consider when appointing an EU and/or a UK representative?

Reputation and knowledge are key consideration factors as well as having the appropriate business liability insurance for the function they are undertaking is important as well as the response times/level of communication.

Click below to watch the video answer to this question.

GDPR Video Link

Who are the supervisory authority for GDPR if your company is located outside the EU? Who does that company report to?

Each member state has its own Supervisory Authority. The principles of the GDPR are uniform across the EU and all supervisory authorities should adopt similar and unified approaches to the enforcement of the GDPR.

Click below to watch the video answer to this question.

GDPR Video Link

How is an EU representative’s liability managed? Can the representative be fined for violations of the GDPR?

The EU representative will have entered into an appointment agreement with the Non EU business and will seek indemnities from that business for any liability that the representative may find itself exposed to.

Click below to watch the video answer to this question.

GDPR Video Link

Under what authority can the EU impose GDPR-related fines on companies with no presence or assets located within the EU?

The GDPR has global territorial effect. The requirement to appoint a representative is one of those requirements and the purpose of it is to give effective force to the sanctions that can be imposed by the GDPR International.

Click below to watch the video answer to this question.

GDPR Video Link

Why should anyone who operates in the US, be concerned with GDPR?

The fines and sanctions that apply under the GDPR have international effect – they apply no matter where the business that is processing the data is located once the data subjects are located in the EU.

Click below to watch the video answer to this question.

GDPR Video Link

What is the cost of non-compliance with GDPR and the appointment of an EU representative?

The fines in the GDPR can extend to vast sums of up to 4% of global revenue with the potential of civil liability or class action type lawsuits brought on behalf of large numbers of data subjects.

Click below to watch the video answer to this question.

GDPR Video Link

What is the reputational cost for those who choose not to comply?

It is the biggest risk a business can take as people value their privacy and their data protection rights greatly. A business not complying with GDPR laws, can cause a great deal of harm to the reputation of the business.

Click below to watch the video answer to this question.

GDPR Video Link

How will things change with Brexit?

After Brexit, the UK will no longer be a member of the EU. Therefore any business located in the UK that continues to hold data or do business with data subjects in the EU, will be required to appoint a representative in the EU.

Click below to watch the video answer to this question.

GDPR Video Link

What is the difference between an EU representative and a UK representative?

The UK has adopted its own form of the GDPR which will apply after Brexit. An EU representative will no longer be the point of contact of data subjects in the UK. A non UK company will need to appoint a UK representative to do so.

Click below to watch the video answer to this question.

GDPR Video Link