There is a requirement for companies providing goods or services within the EEA, but are based outside the EEA, to set up a representative for GDPR; this is enforceable, even though Brexit has already happened.
The GDPR came into force in May 2018 in the European Union; since Brexit, the UK has signed into law equivalent legislation (the UK-GDPR is an almost word perfect copy of the EU GDPR).
This far-reaching piece of Data Protection legislation really shook up the private sector, giving private individuals a lot more rights, and gives private companies a lot more responsibilities. Crucially, those responsibilities can come with a hefty fine if they're breached - up to 2% of your annual turnover, or €10 million.
To be absolutely clear, the GDPR applies to any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to your data. That includes mailing lists, customer lists, orders, enquiries and emails and covers any information stored electronically, or on paper.
In this series of articles, we provided some general guidance on some of the basic elements of the new Regulations; how they affect you and your website. Do remember that this legislation represents a new legal requirement. That means that if you have any concerns, seek legal advice.
- ICOIf you do not have any EEA offices, branches or other establishments, you should consider whether you are processing personal data of individuals in the EEA that relates to either:
offering goods or services to individuals in the EEA; or
monitoring the behaviour of individuals in the EEA.
An EU Representative is an individual or company appointed on behalf of a Data Controller based outside of the EU; they are responsible for managing personal data of EU citizens.
In simpler terms, if you are based outside of the EU, but trade within the EU, you may need a Representative to cover off your GDPR obligations.
There are a lot of companies hopping onto this particular bandwagon at the moment, seeing a way to make a quick profit. The situation is rather confused at the moment, and that's created a lot of opportunities for businesses to take advantage. A few of our clients have already reported receiving enquiries from companies who claim to be able to act as 'expert EU Representative' who are 'specialists in the field of compliance'.
But do you actually need an EU Representative?
There is a requirement for companies providing goods or services within the EU, but are based outside the EU, to set up a Representative. That would include anyone providing eCommerce to the EU even if they simply have an English language site and take only GBP, and also deliver into the EU.
This is supported by the EU’s guidance.
The conduct of a [data] controller…demonstrates its intention to offer goods or services to a data subject located in the [European] Union.” and that while, “the mere accessibility of the…website in the [European] Union… is insufficient to ascertain such intention,
- EU Guidancefactors such as the use of a language or a currency generally used in [the EU]…may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
That means that if you have specific language or currency websites or sections of your website, you would be viewed as intending to provide goods/services to the EU and will likely need a European representative. Likewise, payment for marketing activity like AdWords in a country indicates an intention to do business there.
However, “mere accessibility of the… website in the [European] Union… does not, of itself, provide sufficient evidence to demonstrate the controller or processor’s intention to offer goods or services… in the [European] Union.” In this case, a European representative may not be needed.
A website, based and managed in Turkey, offers services for the creation, editing, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros. The website indicates that photo albums can only be delivered by post mail in France, Benelux countries and Germany.
In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in four languages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union.
As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the Union and is therefore subject to the obligations and provisions of the GDPR, as per its Article 3(2)(a).
In accordance with Article 27, the data controller will have to designate a representative in the Union.
Despite the above, it doesn't look like everyone is going to need an EU Representative, even if they do trade with the EU. Their own guidance highlights one specific exemption:
If the processing is “occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10,” and such processing “is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.”
That suggests that if you only trade occasionally with the EU, without handling especially sensitive data, you are unlikely to need an EU Representative.
It's hard to be absolutely certain on this topic; the guidance is new, and with everything about Brexit, a lot is still changing.
Even the guidance we've quoted above is open to interpretation. Although it makes clear that there is an exemption for companies which do not operate at a "large scale", there is no definition for that term. That isn't likely to come until case law catches up and the European Courts make a judicial decision on these matters. Until then, companies will have to make their own decisions.
Nevertheless, we've tried to make your life a little easier with this handy reference table.
|
English Language/GBP Currency only |
EU Language/Currency option |
Do not deliver to the EU |
EU Representative not needed |
n/a |
Occasionally deliver to the EU |
EU Representative may be needed |
EU Representative may be needed |
Routinely deliver to the EU |
EU Representative may be needed |
EU Representative needed |
Hopefully this should make things a little clearer, but if you'd like to discuss it more, please get in touch, or seek legal advice.