According to the Directive 95/46/EC, when controllers are not established on the territory of the EU and for the purposes of processing personal data make use of equipment, automated or otherwise, situated on the territory of the said Member State, they must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.

The representative under the Directive, doesn’t have much liability, it will be liable for its own acts of negligence or willful misconduct but controller is the responsible entity for securing the data and ensuring compliance with privacy laws.

With the GDPR this regime was considerably modified and not only both controllers and processors are required to appoint a Representative, if certain conditions are met, but also the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

In terms of liability, this is a big change as the Representative assumes now the responsibility to ensure compliance, by the entity it represents, with applicable privacy laws.

According to the GDPR, the Representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate to act on behalf of the entity it represents and while having a representative does not affect the responsibility or liability of the controller or of the processor, the representative is considerable liable and should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

Another difference is how the GDPR determines the need to appoint a representative and its exemptions. Previously the need to appoint a representative was only linked with the use of equipment situated on the territory of a ME and Controllers were exempt of such obligation if equipment used was only for purposes of transit.

With the GDPR, controllers and processors shall designate a representative if they process personal data from data subjects who are in the Union and such activities are related to:

(1) the offering of goods or services, to data subjects in the Union; or

(2) the monitoring of EU data subject’s behaviour as far as their behaviour takes place within the Union,

unless processing is occasional and does not include, on a large scale, processing of special categories of data or personal data relating to criminal convictions and offences and is unlikely to result in a risk to the rights and freedoms of natural persons, or if the entity processing the date is a public authority or body.

Lastly, the Directive required controllers to appoint a representative in each territory where the processing activities would take place, with the GDPR, controllers and processors are only required to designate a single representative, which shall be established in one of the Member States where the data subjects are located.

While this last requirement seems to open the door to lots of EU entities to act as Data Protection Representatives, we cannot forget that such activity involves considerable liability and requires representatives to have full overview of the processing activities. Fines are big and the risk is too high to engage in a representative role if representative does not have a complete overview and power over the processing activities.

Regards,

DCA