Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
The GDPR and Businesses Outside the EU and EEA
Where a business is based outside the EU and the EEA but collects or processes the data of citizens of member states, the GDPR is engaged. For simplicity, such businesses are referred to here as non-EU businesses. In today’s blog we will explore such businesses’ potential need to appoint a representative.
The role of representatives and supervisory bodies:
A non-EU business is subject to the provisions of the GDPR if its services relate to data subjects within the EU. Such a business must appoint a representative in the EU or EEA. This representative should be in one of the member states of the EU and the representative may need to interact with multiple supervisory bodies in multiple languages (it should be noted that some member states have multiple supervisory bodies). If there is a data breach then dozens of notices may need to be sent in multiple languages to the supervisory bodies within the strict 72 hour deadline.
There is no required format for the designation of a representative, except that the designation must be in writing. It should also set out the tasks of the representative.
Different jurisdictions can have different registration regimes. For UK businesses, it is typical to have a single supervisory body – the ICO. The ICO is funded by a data protection fee, which replaces a previous registration regime. The need to register before being permitted to process data no longer applies.
As to where a representative should be located within the EU or EEA given a choice, it has been a longstanding principle of EU law that each member state of the EU should be considered to be mutually trustworthy and that competency should be regarded as consistent as far as possible. However, this principle is not offended if factors of practicality are considered, such as language, the location where a breach might occur, the locations where most data is processed and the location where most data subjects are based.
There is an established supervision framework between supervisory bodies to allow them to co-operate and channel items through each other for convenience.
Non-EU companies may consider seeking advice on how their business might be structured to incorporate a business in the EU appropriately within their corporate structure.
The GDPR requires prescribed information to be presented to data subjects which can often be achieved through privacy notices. Non-EU businesses must identify their representatives in such notices to ensure complaints are directed appropriately. The drafting of notices requires a data mapping exercise since advanced disclosure of the legal bases of data processing is necessary. The record-keeping requirements of the GDPR extend to the representative.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.