Those of us working in data privacy compliance have had a busy few years; we have been particularly occupied with the many 'big ticket' items such as Brexit, new rules around international transfers, and of course the implications of data collection during a global pandemic. It is perhaps no wonder that some of the more 'administrative' compliance obligations have dropped down the list of priorities. Among them: the obligation on companies under EU/UK GDPR Article 27 to appoint a local representative in circumstances where they are caught by the extraterritoriality provisions of the EU/UK GDPR.
The rule
In short, unless one of the limited list of exemptions applies, a non-EEA/UK business should appoint a representative in the EU or UK if it offers goods or services to, or monitors, individuals residing in the EU/UK. The representative can be appointed by way of a simple appointment letter and mainly acts as a local point of contact for any data protection authority (DPA) or data subject with questions or concerns about the data processing undertaken by the relevant foreign company. Indeed, the High Court helpfully confirmed in May that representatives are not liable for the actions of the controller they represent. However, there are a few relatively straightforward compliance obligations that the company and representative need to be aware of. For example, the privacy notice of the company should refer to the representative, as should its internal Record of Processing Activities (RoPA). Similarly, the representative itself should maintain a RoPA in relation to its client’s processing that falls within the remit of the EU/UK GDPR’s extra-territoriality provisions.
The risk of non-compliance
Although the appointment is relatively painless and the ongoing compliance obligations minimal, it is misguided to believe that the risks of non-compliance are similarly minor. No matter how busy they are with other matters, regulators are increasingly focused on Article 27 and non-compliance is easy to spot: whenever a DPA is put on notice that a foreign entity might be involved in some other data protection compliance issue, it will be obvious when there is no local representative that the regulator can turn to for any questions or concerns in relation to the initial compliance issue. Essentially, the breach reveals itself in those circumstances.
For example, the Dutch DPA has recently fined “Locatefamily.com”, a Canadian business that specialises in putting people back in touch with their loved ones. You can find the decision here (Dutch language only). There was initially a concern that the company acted in breach of its wider data protection obligations by posting contact details of data subjects on its website without their knowledge. However, the regulator ended up focusing on the company’s failure to appoint a representative in accordance with GDPR Article 27. Of particular concern was the fact that this lack of a local representative made it very difficult for data subjects to submit an erasure request in relation to the personal data that they had never shared with Locatefamily.com, but which was nonetheless published on its website. Not only did the DPA impose a lump sum fine of over EUR 500,000, it also ordered Locatefamily.com to pay an additional EUR 20,000 for each subsequent two week period in which it failed to make the appointment - up to the maximum of another EUR 120,000.
This is a hefty fine for a breach of what was generally considered somewhat of an ancillary compliance obligation. The fine appears to have acted as a bit of a wake-up call as a number of our clients are quickly moving the representative appointment up their to-do list. However, there is no need to panic. Appointing a representative does not have to be a cumbersome process. All it requires is an understanding of whether you are subject to the EU/UK GDPR by way of the extra-territoriality provisions and whether you fall within any of the exemptions. The process of appointing a representatives is quick, and the choice is large with many new representative service providers having entered the market in the last year or so. Just don’t leave it too late....