Guidelines 03/2018 on Territorial Scope of Article 3 GDPR

SECTION 4  REPRESENTATIVE OF CONTROLLERS OR PROCESSORS NOT ESTABLISHED IN THE UNION

Data controllers or processors subject to the GDPR as per its Article 3(2) are under the obligation to designate a representative in the Union. A controller or processor not established in the Union but subject to the GDPR failing to designate a representative in the Union would therefore be in breach of the Regulation.

This provision is not entirely new since Directive 95/46/EC already provided for a similar obligation. Under the Directive, this provision concerned controllers not established on Community territory that, for purposes of processing personal data, made use of equipment, automated or otherwise, situated on the territory of a Member State. The GDPR imposes an obligation to designate a representative in the Union to any controller or processor falling under the scope of Article 3(2), unless they meet the exemption criteria as per Article 27(2). In order to facilitate the application of this specific provision, the EDPB deems it necessary to provide further guidance on the designation process, establishment obligations and responsibilities of the representative in the Union as per Article 27.

It is worth noting that a controller or processor not established in the Union who has designated in writing a representative in the Union, in accordance with article 27 of the GDPR, does not fall within the scope of article 3(1), meaning that the presence of the representative within the Union does not constitute an “establishment” of a controller or processor by virtue of article 3(1).

a) Designation of a representative

Recital 80 clarifies that “[t]he representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.”

The written mandate referred to in Recital 80 shall therefore govern the relations and obligations between the representative in the Union and the data controller or processor established outside the Union, while not affecting the responsibility or liability of the controller or processor. The representative in the Union may be a natural or a legal person established in the Union able to represent a data controller or processor established outside the Union with regard to their respective obligations under the GDPR.

In practice, the function of representative in the Union can be exercised based on a service contract concluded with an individual or an organisation, and can therefore be assumed by a wide range of commercial and non-commercial entities, such as law firms, consultancies, private companies, etc… provided that such entities are established in the Union. One representative can also act on behalf of several non – EU controllers and processors.

When the function of representative is assumed by a company or any other type of organisation, it is recommended that a single individual be assigned as a lead contact and person “in charge” for each controller or processor represented. It would generally also be useful to specify these points in the service contract.

In line with the GDPR, the EDPB confirms that, when several processing activities of a controller or processor fall within the scope of Article 3(2) GDPR (and none of the exceptions of Article 27(2) GDPR apply), that controller or processor is not expected to designate several representatives for each separate processing activity falling within the scope of article 3(2). The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union. Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers or processors are required to ensure that the DPO “does not receive any instructions regarding the exercise of [his or her] tasks”. Recital 97 adds that DPOs, “whether or not they are an employee of the controller, should be in a position to perform their duties and tasks inan independent manner”. Such requirement for a sufficient degree of autonomy and independence of a data protection officer does not appear to be compatible with the function of representative in the Union. The representative is indeed subject to a mandate by a controller or processor and will be acting on its behalf and therefore under its direct instruction. The representative is mandated by the controller or processor it represents, and therefore acting on its behalf in exercising its task, and such a role cannot be compatible with the carrying out of duties and tasks of the data protection officer in an independent manner.

Furthermore, and to complement its interpretation, the EDPB recalls the position already taken by the WP29 stressing that “a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues”

Similarly, given the possible conflict of obligation and interests in cases of enforcement proceedings, the EDPB does not consider the function of a data controller representative in the Union as compatible with the role of data processor for that same data controller, in particular when it comes to compliance with their respective responsibilities and compliance.

While the GDPR does not impose any obligation on the data controller or the representative itself to notify the designation of the latter to a supervisory authority, the EDPB recalls that, in accordance with Articles 13(1)a and 14(1)a, as part of their information obligations, controllers shall provide data subjects information as to the identity of their representative in the Union. This information shall for example be included in the [privacy notice and] upfront information provided to data subjects at the moment of data collection. A controller not established in the Union but falling under Article 3(2) and failing to inform data subjects who are in the Union of the identity of its representative would be in breach of its transparency obligations as per the GDPR. Such information should furthermore be easily accessible to supervisory authorities in order to facilitate the establishment of a contact for cooperation needs.

• Example 24: The website referred to in example 12 (see section 2), based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the France, Benelux countries and Germany. This website being subject to the GDPR, as per its Article 3(2)(a), the data controller must designate a representative in the Union.

• The representative must be established in one of the Member States where the service offered is available, in this case either in France, Belgium, Netherlands, Luxembourg or Germany. The name and contact details of the data controller and its representative in the Union must be part of the information made available online to data subjects once they start using the service by creating their photo album. It must also appear in the website general privacy notice.

b) Exemptions from the designation obligation

While the application of Article 3(2) triggers the obligation to designate a representative in the Union for controllers or processors established outside the Union, Article 27(2) foresees derogation from the mandatory designation of a representative in theUnion, in two distinct cases:

• 1 processing is “occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10”, and such processing “is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing”.

• In line with positions taken previously by the Article 29 Working Party, the EPDB considers that a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor.

• Furthermore, while the GDPR does not define what constitutes large-scale processing, the WP29 has previously recommended in its guidelines WP243 on data protection officers (DPOs) that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale: – the number of data subjects concerned – either as a specific number or as a proportion of the relevant population; – the volume of data and/or the range of different data items being processed; – the duration, or permanence, of the data processing activity; – the geographical extent of the processing activity

• Finally, the EDPB highlights that the exemption from the designation obligation as per Article 27 refers to processing “unlikely to result in a risk to the rights and freedoms of natural persons”, thus not limiting the exemption to processing unlikely to result in a high risk to the rights and freedoms of data subjects. In line with Recital 75,when assessing the risk to the rights and freedom of data subjects, considerations should be given to both the likelihood and severity of the risk.

                 Or

• 2 processing is carried out “by a public authority or body”.

• The qualification as a “public authority or body” for an entity established outside the Union will need to be assessed by supervisory authorities in concreto and on a case by case basis. The EDPB notes that, given the nature of their tasks and missions, cases where a public authority or body in a third country would be offering goods or services to data subject in the Union, or would monitor their behaviour taking place within the Union, are likely tobe limited.

c) Establishment in one of the Member States where the data subjects whose personal data are processed

Article 27(3) foresees that “the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are”. In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice, that the representative is established in that same Member State. However, the representative must remain easily accessible for data subjects in Member States where it is not established and where the services or goods are being offered or where the behaviour is being monitored.

The EDPB confirms that the criterion for the establishment of the representative in the Union is the location of data subjects whose personal data are being processed. The place of processing, even by a processor established in another Member State, is here not a relevant factor for determining the location of the establishment of the representative.

• Example 25: An Indian pharmaceutical company, with neither business presence nor establishment in the Union and subject to the GDPR as per Article 3(2), sponsors clinical trials carried out by investigators (hospitals) in Belgium, Luxembourg and the Netherlands. The majority of patients participating to the clinical trials are situated in Belgium.

• The Indian pharmaceutical company, as a data controller, shall designate a representative in the Union established in one of the three Member States where patients, as data subjects, are participating in the clinical trial (Belgium, Luxembourg or the Netherlands). Since most patients are Belgian residents, it is recommended that the representative is established in Belgium. Should this be the case, the representative in Belgium should however be easily accessible to data subjects and supervisory authorities in the Netherlands and Luxembourg.

• In this specific case, the representative in the Union could be the legal representative of the sponsor in the Union, as per Article 74 of Regulation (EU) 536/2014 on clinical trials, provided that it does not act as a data processor on behalf of the clinical trial sponsor, that it is established in one of the three Member States, and that both functions are governed by and exercised in compliance with each legal framework.

d) Obligations and responsibilities of the representative

The representative in the Union acts on behalf of the controller or processor it represents with regard to the controller or processor’s obligations under the GDPR. This implies notably the obligations relating to the exercise of data subject rights, and in this regard and as already stated, the identity and contact details of the representative must be provided to data subjects in accordance with articles 13 and 14. While not itself responsible for complying with data subject rights, the representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights are effective.

As per Article 30, the controller or processor’s representative shall in particular maintain a record of processing activities under the responsibility of the controller or processor. The EDPB considers that, whilethe maintenance of this record is an obligationimposed on both the controller or processer and the representative, the controller or processor not established in the Unionis responsible for the primary content and update of the record and must simultaneously provide its representative with all accurate and updated information so that the record can also bekept and made available by the representative at all time. At the same time, it is the representative ́s own responsibility to be able to provide it inline with Article 27, e.g. when being addressed by a supervisory authority according to Art. 27(4).

As clarified by recital 80, the representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of a controller or processor established outside the Union, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and a controller or processor established outside the Union.

With the help of a team if necessary, the representative in the Union must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication should in principle take place in the language or languages used by the supervisory authorities and the data subjects concerned or, should this result in a disproportionate effort, that other means and techniques shall be used by the representative in order to ensure the effectiveness of communication. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor. In line with Recital 80 and Article 27(5), the designation of a representative in the Union does not affect the responsibility and liability of the controller or of the processor under the GDPR and shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves. The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union.

It should however be noted that the concept of the representative was introduced precisely with the aim of facilitating the liaison with and ensuring effective  enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union. This includes the possibility for supervisory authorities to address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative, in accordance with articles 58(2) and 83 of the GDPR. The possibility to hold a representative directly liable is however limited to its direct obligations referred to in articles 30 and article 58(1) a of the GDPR.

The EDPB furthermore highlights that article 50 of the GDPR notably aims at facilitating the enforcement of legislation in relation to third countries and international organisation, and that the development of further international cooperation mechanisms in this regard is currently being considered.