The Information Commissioner’s Office (‘ICO’) in the United Kingdom (‘UK’) has issued guidance (‘Guidance’) on the appointment of European representatives by companies post the transition period of Brexit. The UK is currently in the transition period and the Brexit will be effective from 2021. During this transition period, the European Union (‘EU’) and/or European Economic Area (‘EEA’) laws continue to apply to the UK. ICO, in this regard, has been taking steps to prepare organisations in the UK to effectively comply with the EU General Data Protection Regulation (‘GDPR’).
The UK government has on occasion shown interest in enacting a GDPR in the UK also, which will be similar to the EU GDPR. Accordingly, the guidance addresses certain compliance requirements for controllers and processors based in the UK with respect to appointing a European representative.
Applicability
The guidance addresses the controller and processors who are based in the UK and
(i) have been providing goods or services to the member states of the EEA; or
(ii) monitoring behaviours of individuals in the EEA,
but do not have any offices or branches in the EEA. The EU GDPR will be applicable if such controllers or processors continue to such processing post the transition period in the EEA. This is in accordance with Article 3(2) of the GDPR which requires the scope of the GDPR to be applicable to entities, not established in the EU, which are processing personal data of EU data subjects.
Article 27 of the GDPR, which mandates the appointment of the European representative, states that this requirement is not applicable to occasional processing which does not include:
(i) special category data such as race, ethnic origin, political opinions, religions, philosophical beliefs, biometric data to identify individuals, health data concerning sex life or sexual orientation; or
(ii) personal data relating to criminal conviction or offences,
and is unlikely to result in a risk to people’s rights and freedom, considering the nature, context, scope, and purpose for such processing.
Hence, in this context, combing Article 3(2) and Article 27 of the GDPR, entities are required to appoint a representative or else they would be in breach of the GDPR unless there is an exemption of large scale processing of data (as under Article 27(2) of the GDPR).
Requirement of Appointing a European Representative
The relevant controllers and processors will be required to appoint an EEA representative in an EU/ EEA state where the data subjects are located. If the data subjects reside in more than one EEA state, such representative may be appointed in any of those states.
Such a representative may be an individual or a company or an organisation that will be authorised to represent the obligations of the controller or the processors under the GDPR. Representatives must be given the authority to deal with the authorities and data subjects.
Such controllers or processors shall make the details of the representative easily accessible to the data subjects and the authorities by sending a privacy notice to the data subjects, providing information while collecting such data and by publishing it on the website ( e.g. through the privacy policies) of controllers or processors, as applicable.
An example of a law firm based in the UK has been given which provides regular services to the people in EEA member states. Such a law firm will be required to appoint a representative and inform the data subjects by issuing a privacy notice. There is no requirement for the law firm to inform the supervisory authorities as such, including the ICO, however, the information of the representative must be made available on the website.
BlockSuits Comments
The Guidance also states that there is no need for appointing a representative if (i) the processing or controlling entity is a public authority; or (ii) the processing is only occasional and of low risk to the infringement of data protection rights of data subjects. Further, if there is no large scale use of special category or criminal offence data even then there is no need for the appointment of a representative, as stated above and also provided under the exemption of Article 27(2) of the GDPR.
The Guidance further advises the controllers and processors to reduce the terms of the appointment of the European representative in writing. However, such an agreement does not affect the legal liability and responsibility of the controllers and processors. Further, by paying emphasis on the European Data Protection Board (‘EDPB’) Guidelines 3/2018 on the territorial scope of the GDPR (‘Territorial Guidance’) issued in January 2020, a clear view can be formulated that supervisory authorities can enforce actions and liabilities against the representative in the same manner as they would have enforced against the organisation that appointed them. The Territorial Guidance also suggests that the appointment of a representative in the EEA shall not constitute an ‘establishment’ of a controller or a processor under Article 3(1) of the GDPR.
Moreover in this context, the EDPB shall not consider the functions of a representative as compatible with an external Data Protection Officer (‘DPO’) which would be in the EU. This is done in lieu of the fact that DPOs are given certain autonomy to perform their functions and as per Recital 97, DPOs shall be ‘independent’ to perform their tasks and functions. This essentially means that while DPOs are not provided with any instructions from organisations to perform their tasks and are also given leeway or independence to assess any breaches, directives from the organisation may be served to the representatives on various functions. The representative essentially works on direct instructions or acts on behalf of the controller or processor which is unlike the DPOs. This may also mean that in a scenario of data rights infringement proceedings in EU courts, the court may deem the opinion of a DPO to take precedent on the opinion of a representative. While the Guidance does not specify the degree of liability which could be asserted on the representatives, the Territorial Guidance states that the representatives shall be liable for its obligations under Article 30 of the GDPR, which is a record of processing, and Article 58(1)(a), which is cooperating with requests and providing information as required by the Supervisory Authorities.
Moreover, in this regard, both the Guidance and the Territorial Guidance should have specified if the role of the representatives is of a mere ‘messenger’, which it appears to be from the current Guidance, or do the representatives have more power and can be granted contractual obligations of the parent entity as well. The Territorial Guidance in itself states that the aim of introducing the concept of a representative was to provide for a ‘liaison’ to ensure the effective enforcement of GDPR is conducted. Considering the fact that a direct liability of a representative shall only arise in the instances of the above 2 (two) categories, whether the representative could be granted more rights or a ‘power of attorney’ on behalf of the controller or processor is yet unclear.
Authored by Samaksh Khanna, co-founder and Shivani Agarwal, founder.
Comments