The requirement for an Appointed Representative arises in some cases where organisations located outside the EU regularly:
- offer goods or services to data subjects located within the EU, or
- monitor behaviour of data subjects in the EU or
- process special category data or details of criminal activity on a large scale or
- otherwise process personal data in a way that is likely to result in a risk to the rights and freedoms of individuals.
There is an exemption where the processing:
- is occasional,
- does not include large scale processing of special category data or criminal convictions and offences and
- is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
In such cases, no Appointed Representative is required. Also not all Member States of the EU have adopted the requirement for an Appointed Representative. Article 27 of GDPR which provides for the appointment of a Representative could be disapplied by Member States.
After the transition period following Brexit, organisations located in the UK may need to appoint a local Representative under Article 27 if their activities meet the conditions specified above. The practical points of the appointment are considered in an earlier blog “Appointing a Representative in the EU“, this blog considers some of the issues that should be covered in the agreement between the controller and the Representative.
If an Appointed Representative is required, the appointment must be in writing authorising that person/company to “be addressed” either as well as or in place of the controller/processor. Communication from supervisory authorities and data subjects on all issues related to personal data processing and for purposes of ensuring compliance with GDPR may be routed through the Appointed Representative.
GDPR provides a basic list of the duties of an Appointed Representative. They must maintain a record of processing activities under the responsibility of the controller or processor in the territory. Tthey also have a duty to act as a point of liaison on behalf of the controller and in respect of all issues pertaining to compliance with GDPR for both the competent supervisory authorities and data subjects, with an obligation to have their contact details published in the controller’s privacy notices.
As far as obligations go, the Appointed Representative has an obligation to cooperate with the competent supervisory authorities.
GDPR specifies that the appointment must be made in writing. The European Data Protection Board in its guidance published November 2019, says that the written mandate should cover the relations and obligations of the parties, in the style of a service contract. Where a company is designated as the Appointed Representative it is recommended that a lead individual be named.
As the objective of the role is to provide national supervisory authorities and data subjects with a local point of contact for communication with the controller, the service agreement needs to specify contact details, including out of business hours contact details and reporting standards to set the timescales in which the controller expects to be informed of different levels of enquiry and timescales in which the Appointed Representative should expect a response.
Although GDPR states that the representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor, the EDPB makes it clear that the Appointed Representative cannot be held financially liable in the place of the controller. However access to funds will be required to allow the Appointed Representative to take legal advice if the situation warrants it. The circumstances when the Appointed Representative would be entitled to incur expense on behalf of the controller and the financial limits would be other areas to cover in the service agreement.
As data security breaches can severely damage the reputation of a controller it is sensible to have a PR company ready briefed to handle any fallout from any breach or investigation by the supervisory authority. Again the extent to which the Appointed Representative is empowered to disclose information about the internal affairs of the controller and extent to which it can commit it to expenditure in these areas should be covered in the agreement.
The Appointed Representative is duty bound to respond to routine contacts with data subjects and the local regulatory authority. What is considered “routine” needs to be defined, for example requests for more information or clarification of information provided and requests to participate in surveys. These routine issues will not require immediate reporting to the controller and can be covered in routine reports, perhaps quarterly or six monthly if there are no implications for the controller. Other enquiries will be less urbane and will require immediate reporting to the controller. The agreement should include guidance on what matters are considered routine and what not, also reporting lines, content, format and frequency of reporting.
The Appointed Representative is likely to be a paid role and payment terms should also be covered in the agreement.
Depending on the circumstances there may be other issues to cover in the agreement but this is a starting point for the likely content of a service agreement.
Mandy P Webster, Data Protection Consultant