How is an EU representative’s liability managed? Can the representative be fined for violations of the GDPR?
Well yes, the terminology that’s used in the GDPR is that the GDPR representative is intended to be amenable to sanction or are accountable on behalf of the non EU based business, and from a practical point of view in terms of how that liability is managed, the representative will enter into an appointment agreement with the business located outside of the EU and will seek indemnities from that business for any liability that the representative may find itself exposed to.
The European Data Protection Board have stated that they believe that the Article 30 Record of Processing, which is a requirement of the GDPR, is the primary function that it would see the representative having. They would see that as a joint responsibility between the representative and the data controller or processor based outside the EU, and therefore, the representative would want to ensure that it’s able to gain access to the Article 30 record of processing, in the instance they are requested to produce this to the Supervisory Authority. You would expect to see that the agreement in place between the representative and appointing data controller or processor would underpin that. You would also then expect to see various indemnities in place between the controller or processor appointing the representative, simply that if the representative is asked to account on behalf of that controller or processor here that the representative will be able to go back to the primary person who is responsible i.e. the controller or processor, located outside the EU.