Contractors, does your company need to appoint an EU data representative?
After a long (and sometimes painful) four years, for better or for worse, the United Kingdom has finally left the European Union with a deal.
As a result of this semi-amicable divorce settlement, several EU laws and requirements no longer apply to the UK – with new measures put in place through the EU-UK Trade and Cooperation Agreement, and some laws surviving through virtue of already being implemented into national law.
As such, UK-based contractors, consultancies and businesses now need to ensure they are in compliance with these new requirements, especially when doing business in the EU (even remotely), or with customers or suppliers based in the European Union.
One of these new requirements relates to processing personal data of the residents of the European Economic Area (the ‘EEA’). As the UK is no longer part of the EEA, certain UK-based entities will need to appoint an ‘EU representative’ if they wish to continue processing the personal data of EEA residents, writes Komal Shemar, legal consultant at Gerrish Legal.
In this first instalment of a three-part series exclusively for ContractorUK on navigating the new data-related requirements between the UK and EU under December’s Brexit deal, we will discuss how to determine whether or not your contractor business needs to appoint an EU representative, how to choose who and where your representative should be, and explore the procedure to making the appointment formally.
What is an EU representative?
The role of an EU representative is not a new one – it has existed for quite some time now under the General Data Protection Regulation, (the ‘GDPR’). The GDPR has extra-territorial reach and therefore, applies to all entities and individuals that process the personal data of residents (or rather ‘data subjects’) of the EEA – regardless of where such processing takes place or where such entities are based. Therefore, even though the UK has left the EU, all individuals and businesses who continue to process EEA personal data will remain subject to this legislation.
Specifically, Article 27 of the GDPR sets out the role and requirements of an EU representative. It specifies that all non-EEA based entities must appoint an EU representative (sometimes called a ‘data representative’) when processing EEA personal data, subject to certain requirements.
This ‘EU representative’ will do exactly what the name suggests – represent and act on behalf of the non-EEA entity (your UK contractor business for example), in front of EEA data subjects, supervisory authorities, and even in EEA courts. This representative can be a company, or a natural person based in the EEA.
The reasoning behind having a representative in the EEA is that it is easier for data subjects to exercise their rights, communicate with and work with an EEA based entity as opposed to an entity based in a ‘third country’ (which the UK is now considered as since it has left the EU).
This can include:
- Responding to data subjects in their native language,
- Responding to requests to access or delete data ; and
- Responding to actions, claims or investigations from supervisory authorities.
It is worth noting that your EU representative does not alleviate ‘controllers’ or ‘processors’ from their own GDPR obligations, and the representative does not replace you in the event of breaches or sanctions. But the EU ‘rep’ can be liable in their own right for failing to adhere to their own responsibilities.
However, the important thing to remember is that this has become a legal requirement from January 1st 2021. Therefore, you could be infringing the rules if you are required to appoint an EU representative but have failed to do so. This is particularly pertinent for those contractors and businesses working in the digital and IT sector – as cross-border data transfers and processing are the norm for the industry.
How do I know whether I need to appoint an EU representative?
You will need to appoint an EU representative if you meet the following requirements:
- You act as either a controller or a processor;
- You do not have any offices, branches or other establishments in the EEA; and
- You are offering goods or services to individuals within the EEA; or monitoring the behaviour of individuals in the EEA.
The definitions of ‘controller’ and ‘processor’ are quite broad under the GDPR – you will be acting as one of the two if you are processing personal data – which includes collecting, organising, storing, altering, using, disclosing, disseminating, combining, restricting, or deleting any personal data.
Whether you are deemed to be ‘providing goods or services’ to individuals within the EEA can be a complex question. For example, if an EEA resident accesses your services that are targeted specifically at UK clients alone, you wouldn’t necessarily be seen as targeting EEA residents. However, on the flip side, even sending a free newsletter or updates to EEA residents about your business or services could be deemed to be providing a service to them, even if you do not receive payment!
Additionally, ‘monitoring the behaviour’ of EEA residents can also mean you fall within the scope of the rules, which can be triggered as easily as applying cookies or other tracking technologies to your website which is accessible from within the EEA. Therefore, it is important to closely review your processing activities in order to determine whether you could fall under these categories – and seeking professional legal advice for this assessment is really highly recommended.
Are there any exceptions to this obligation to appoint an EU representative?
There are some exceptions to this requirement to appoint an EU representative. The nature of the processing also needs to be taken into account. In particular, Article 27(2) of the GDPR states that the obligation to nominate an EU representative does not apply if:
- Your processing is ‘occasional’ ;
- Your processing does not include, on a large scale:
- special categories of personal data (namely, data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation); or
- data relating to criminal convictions and offences; and
- Your processing is unlikely to result in a risk to the rights and freedoms of data subjects – taking into account the nature, context, scope and purposes of the processing; or
- You are a public authority or body.
If you do decide that you are not required to appoint an EU representative, then you must document this decision, as per the ‘accountability principle’ of the GDPR. Given the high stakes for non-compliance – namely, hefty fines (any breach would be subject to the normal limits placed by the GDPR – up to 4% of annual global turnover, or €20 million, whichever is greater), plus and the reputational risk attached to breaching privacy laws, such a decision should, in our view, only be made after seeking professional advice. The documentation you produce to evidence your decision will be important if you are challenged on your decision not to appoint a representative or if you are under investigation by a supervisory authority.
How to choose your EU representative and where should they be based?
Once you have established whether you will be required to appoint an EU representative, the next thing to look at is choosing who your EU representative will be.
It is important to remember that your EU representative will act on your behalf to facilitate the exercise of data subjects’ rights within the EEA, which includes responding to data subjects (preferably in their native language), and cooperating with competent supervisory authorities in respect of any action, investigation or claim under the GDPR.
Therefore, it is important to choose an established and trustworthy partner, such as a law firm or privacy expert. This is because your EU representative must be capable of fulfilling the foregoing obligations within the EEA.
Your EU representative will need to be set up in an EEA country where some of the individuals whose personal data you are processing are located. Usually, your representative will be based in the territory where you have the largest number of data subjects – for example, if you are a UK-based IT consultancy with business in several EU states, but the majority of your data subjects are in France, it would make sense to have your EU representative based in France, unless you can show there is logic in appointing an EU representative elsewhere.
This can be a complex question for those of you contractors who are supplying digital trade or working in the field of cookies or other tracking technologies. It is therefore always worth seeking legal advice on your specific circumstances to ensure your appointment is correct.
How to appoint an EU representative?
Once you have decided who your EU representative shall be and where they need to be based, you will need to formally appoint them. This appointment must be made in writing, and is usually done by way of a ‘Service Agreement,’ signed by the duly authorised representatives of each entity or, in the case of self-employed contractors, signed by the persons concerned. If such an agreement is signed by a company, a single individual should be named as a ‘lead contact’ who will be in charge of compliance and communication.
After you have appointed your EU representative, there are certain formalities which need to be carried out, such as informing the EEA-based individuals whose personal data you are processing of this new appointment of your EU representative, and where required, notifying the relevant supervisory authority of your appointment of an EU representative. Therefore, it is important to review any applicable local requirements on a case-by-case basis, depending on the countries that your EEA based data subjects are residing in. Again, it is always worth seeking legal advice on this point – and ensuring that the EU representative you appoint has sufficient skills and knowledge, and is capable of ensuring your compliance with any local rules. You do not want to jump through the significant number of hoops here, just to come unstuck because of your chosen representative’s lack of expertise!
In our next instalment, we will be discussing the new rules under the Trade Agreement in relation to personal data transfers between the EEA and the UK, and the mechanisms you must put in place to avoid breaching the rules under the GDPR.
In the interim, if you believe that your company is in need of appointing an EU representative, or if you have any questions in relation to the above, please do not hesitate to contact us.