EDPB finalises guidelines for GDPR Article 27 EU Representative

Please note that this article only addresses the changes to section 4 of EDPB guidelines 03/2018, in respect of the EU Data Protection Representative appointed under Article 27 of GDPR, and not the remainder of the territorial scope guidelines.

On 12 November 2019, the European Data Protection Board met for their 15th plenary session and, among a number of agenda items, finalised the wording of their guidance document on the territorial scope of GDPR – guidelines document 03/2018 – including clarifications around the appointment and role of the EU Data Protection Representative under Article 27 (the “Guidelines”[1]). The Guidelines were originally issued for consultation almost exactly one year previously (16 November 2018), and the time between the end of the consultation response period (January 2019) and its final publication no doubt indicates the number of submissions they received in response.

It should first be noted that the EDPB’s own summary of the changes states that they aren’t extensive; they noted that they have “maintain[ed] the overall interpretation and methodology presented in the first version of the guidelines”[2]. The principle that the Representative be located in the EU member state where the controller/processor has the largest number of data subjects remains, as does the need for data subjects in other member states to have easy access to the Representative and that the Representative may be held liable for the GDPR violations of their clients.

However, there have been a number of clarifications which are worth noting, and which subtly alter the position of the EU Representative and the non-EU data controller or processor which appoints them. Most notable are:

• Data controllers/processors outside the EU which undertake more than one data processing activity do not need to appoint a separate Representative in respect of each processing activity;
• An EU-based data processor should not be appointed the EU Representative of a non-EU company for which it is processing data (other than, presumably, where that processing is limited to what is required to undertake the role of Representative), due to the potential conflict of interests between those roles (similar to the already-included stipulation that the same company should not be appointed as DPO and Representative for the same data controller/processor);
• The name and contact details of the Representative must be part of the information made available to data subjects on the collection of their data and in the privacy policy;
• Occasional exemption from appointing a Representative (Article 27(2)(a)):
• That “occasional” should be interpreted in line with previous guidance from the Article 29 Working Party, adopted by the EDPB, around exemptions from the obligation to prepare records of processing in line with Article 30 (“ … a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor”)[3];
• For the third element required to activate this exemption – whether the processing is “unlikely to result in a risk to the rights and freedoms of natural persons” – that when assessing this element “considerations should be given to both the likelihood and severity of the risk”;
• For the public authority exemption (Article 27(2)(b)): whether an entity is considered to fall into this category will depend on how this is defined by the relevant national law  and will be assessed by the relevant data protection authority on a case-by-case basis (NOTE: this refers to the national law of the EU member state in which the data subject is based, not the law of the country where the non-EU controller/processor is based, leading to the potential for forum shopping in the event of a GDPR violation by a non-EU quasi-public authority which impacts data subjects across many EU member states);
• Article 30 records of processing:
• That the data controller/processor is responsible for the “primary content” of the records of processing (previously it could be argued that this responsibility was shared between the controller/processor and their Representative) and must provide their Representative with the updated records “simultaneously” as they are prepared internally (this will likely be easier for data controllers/processors who use an online resource – to which their Representative has access – to prepare and store their records of processing);
• It is the Representative’s responsibility to be able to provide the records when requested by an EU data protection authority (Article 27(4));
• When communicating with a data subject, the Representative “should in principle” (previously “must”) do so in the language of the data subject/data protection authority involved unless this “result[s] in a disproportionate effort”, in which case “other means and techniques shall be used by the representative in order to ensure the effectiveness of communication”;
• Liability of the EU Representative:
• There is no “substitutive liability of the representative in place of [their client]” (NOTE: based on the remainder of this part of the Guidelines, I believe this intends to state that the Representative cannot initially be held primarily liable for the GDPR violations of their client, not that such liability cannot later be applied to the Representative if their client fails to meet it[4]);
• Clarification that “supervisory authorities [may] address corrective measures or administrative fines and penalties … to the representative” for the violations of their client to ensure “effective enforcement of the GDPR”;
• Notice that “the development of further international cooperation mechanisms” to enforce GDPR fines and corrective measures internationally are being considered (NOTE: the international enforceability of GDPR fines remains a significant unanswered question).

As a side-note of potential historical interest, reference to the UK has been removed from Example 24 (previously Example 19), no doubt to remove potential confusion in the event of Brexit.

Naturally, there are still some minor areas where uncertainty remains and, with the EU Representative role only now starting to be discussed in enforcement proceedings[5], the issues around this obligation and the duties/liability of the Representative will be discussed and further clarified in courts across the EU over the next few years.

Overall, any clarification of GDPR is to be welcomed – if for no other reason that to prevent easily-settled matters from clogging up national courts (and, ultimately, the European Court of Justice) where possible. However, based on the author’s discussions with others in the GDPR sector, it’s likely that some element of the Guidelines will continue to be viewed as “best practice” rather than legally-binding expectations, so these issues may yet end up being argued in the court cases (and appeals) which these Guidelines were designed to prevent.

Tim Bell is the Managing Director of DPR Group, a leading provider of EU Data Protection Representative services through its network of 28 contact locations (one in each EU member state). If you require an EU Representative as a result of Article 27 of GDPR, or are not sure whether you need one, please feel free to contact DPR Group to discuss the issues at: [email protected]. DPR Group has prepared a comparison document showing the changes to the Guidelines - if you would like a copy of this, please feel free to contact us.

[1] https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en

[2] https://edpb.europa.eu/news/news/2019/fifteenth-plenary-session-privacy-shield-review-guidelines-territorial-scope_en?mkt_tok=eyJpIjoiT1dJMU56VXdZemczTUdFeCIsInQiOiJcL3ZrTmtpMmYrSE93Rlo5VUN6bVVNaW10MzdPT3lVR0hLSmUxbFRlSjlcL1RjMWYwaTV2cXBLK1BNdklGNG1lMnpaRm9QM3ZLU1JQYmdibkhQaDFTSmlkaHlUXC9zQ0pQSzl1Vngyd1g3S2l5T2FMaE1PMlhaRThGU0JCd2x1M3NONiJ9

[3] WP29 position paper related to article 30(5): https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=624045

[4] This seems to be a response to the incorporation of GDPR into Spanish law, in which the Representative may be held primarily liable for their client’s GDPR violations in the first instance, without the Spanish data protection authority having first attempted to recover from the non-compliant controller/processor.

[5] The obligation to appoint an EU Representative was discussed in a case in Austria in early 2019 – the court concluded the data processor in that instance had an EU establishment, so was not in need of an EU Representative. For more information see the court report here (German language): https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Dsk&Dokumentnummer=DSBT_20190307_DSB_D130_033_0003_DSB_2019_00