FAQs

Under the GDPR, a controller or processor with no establishment in the EEA (including a UK controller or processor following the end of the Brexit transition period) are required, subject to limited exceptions, to appoint in writing an EU Representative if their processing activities are related to the offering goods or services to individuals in the EEA or monitoring their behaviour in the EEA. Processing activities of this scope are subject to the GDPR.
 
The citizenship, residence or other type of legal status of the data subjects is irrelevant.

Τhe Representative acts as the liaison between your organisation (controller or processor) and the individuals as well as the supervisory authorities, on all issues related to data processing, for the purposes of ensuring compliance with the GDPR and UK GDPR.
 
The Representative’s contact details should be easily accessible to supervisory authorities, for example, by publishing it on your website and should also be provided to data subjects, for example, in your privacy notice.
The data Subjects and the supervisory authorities can contact the Representative in addition to or instead of the non-EU company on all issues related to data processing.
 
The Representative has to maintain records of processing activities of your organization and make it available to the supervisory authorities, upon request.
 
The Representative shall also cooperate, on request, with the supervisory authorities in the performance of their tasks.
 
The supervisory authorities are able to initiate enforcement proceedings against the organisation through the Representative and to address corrective measures imposed on the organisation to the Representative.
 

After the end of the Brexit transition period, the UK GDPR requires, subject to limited exceptions, that controllers or processors that are not established in the UK to designate a UK Representative if their processing activities are related to the offering of goods or services to individuals in the UK or monitoring their behaviour in the UK. Processing activities of this scope are subject to the UK GDPR.
 
The citizenship, residence or other type of legal status of the data subjects is irrelevant.

The monitoring may encompass a broad range of monitoring activities, including:

• Online tracking through cookies and device fingerprinting
• CCTV
• An online personalised diet and health analytics service
• Behavorial advertistng and geo-localization of content (particularly for advertising purposes)
• Monitoring or regular reporting on individuals; health status
• Market surveys and other behavioral studies based on profiling

Where processing activities by a controller relates to the offering of goods or services or to the monitoring of individuals (''targeting'') in the EU or the UK,  any processor instructed to carry out that processing activity on behalf of the controller will fall within the scope of the GDPR in respect of that processing and therefore.

The existence of a branch or subsidiary in the EU or in the UK is not equivalent to an establishment.
 
An establishment implies the effective and real exercise of activities through stable arrangements, exercising real and effective activities. The legal form of such arrangements, whether through a branch or subsidiary with a legal personality, is not the determining factor in that respect. 
 
We can assist you in assessing whether your organisation has an establishment in either the EU or in the UK.

The EU Representative can be a natural or legal person established in one of the EU member states where the data subjects whose personal data are processed in relation to the offering of goods or services to them or whose behaviour is monitored.  Under the UK GDPR, the Representative needs to be located in the UK.
 
One Representative can act on behalf of several organizations.
 

The function of a Representative is not compatible with the role of a Data Protection Officer, because the Data Protection Officer must perform her/his duties in an independent manner whereas the Representative acts on behalf of the company and under its direct instruction.
 

 No

The requirement does not apply where the organisation is a public authority.  Also, organizations are exempted from the obligation to appoint a Representative where the processing is:

• Occasional
• Does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences
• Is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of processing.

We can assist you in assessing whether you are required to appoint an EU or UK Representative or both.
 

The organisation shall mandate the Representative to be addressed in addition to or instead of the organisations by supervisory authorities and data subjects on all issues related to the processing, for the purposes of ensuring compliance with the GDPR. Additionally, it shall furnish to the Representative its updated and accurate record of processing activities, which the organisation or the Representative must make it available to the supervisory authority, on request. We can help you with compiling the record or reviewing and improving your existing record.

In order to determine whether your company is offering goods and services to data subjects who are in the EU or the UK, it should be ascertained whether it is apparent that you offer services to these data subjects. We can assist you in assessing whether any of the processing activities are related to the offering goods and services to data subjects in the EU or the UK.

Yes. Every separate company must appoint a Representative. Privacy Minders offers special options to manage the representation of the affiliates by choosing one of our group packages (small-, medium- or large-sized). The number of affiliates determines which group package fits the group of companies.

In addition to the obvious risk of being the subject of complaints by data subjects and investigations by the supervisory authorities, which could lead to the imposition of a fine against the company or other remedies, not appointing a Representative, where this is required by the law, jeopardizes your organization's reputation and overall compliance with data protection laws. Without a presence in the EU or the UK, your data subjects are deprived of their rights and the supervisory authorities may be not able to communicate with you to exercise their functions and duties.
 
On the flip side, appoint a Representative not only improves your level of compliance, but also signals to the public that you acknowledge your engagement with the EU GDPR or UK GDPR and you are respectful of your data subjects' rights and your data protection obligations, giving you a competitive advantage over organization which disregard their obligation to appoint a Representative.

• EU GDPR: The maximum fine for non-compliance is €20 million or 4% of annual global turnover.
• DPA 2018/UK GDPR: The maximum fine for non-compliance is £17.5 million.