Not all organisations that have dealings with the EU require an Appointed Representative and not all Member States require one. Also the rule does not apply to limited processing of personal data in the EU. The requirement arises if organisations (both controllers and processors):
- regularly offer goods or services to data subjects located within the jurisdiction of the Member State,
- monitor behaviour of data subjects or process special category data or details of criminal activity on a large scale or
- otherwise process personal data in a way that is likely to result in a risk to the rights and freedoms of individuals.
Based on guidance from the European Data Protection Board on the Territorial Scope of GDPR (page 23 onwards) only one Appointed Representative in the EU will be required even if the organisation processes personal data relating to citizens of more than one EU Member State. However the appointment should be made in the Member State where most of the data subjects are located.
An Appointed Representative is not required if the organisation has an “establishment” in the EU where the processing is subject to the GDPR directly. The following constitute an establishment:
- Having a branch office or head office in the EU
- Being part of a group of companies, one or more of which is located in the EU
- Having a data processor or data controller located in the EU
In all cases the processing of personal data must be “carried out in the context of the activities of an establishment” which means that the EU based entity must be involved in processing the data or overseeing the processing in relation to the EU. The EDPB guidance includes examples.
For information about the practicalities of appointing a representative, see our blog here.
If you need help tailoring data protection advice to the circumstances of your organisation, contact us.
Mandy P Webster, Data Protection Consultant