GDPR : Should non-EU companies designate a DPO/a representative/both?
Even if your company is not established in the EU, you probably have heard about the famous “GDPR“. This European regulation entered into force in May 2018. It contains the rules regarding the processing of personal data.
Like every company, you process personal data everyday (from clients, employees, ….). And, as a company willing to be compliant, you are asking questions: does this EU regulation apply to me? If so, do I have to appoint a specific agent in the EU to comply?
Don’t panic! Here is a little summary of what the GDPR provides for the data controller or processor outside EU.
Territorial scope of the GDPR
When the GDPR was adopted, one of the objectives was to establish a territorial scope as wide as possible. Consequently, the GDPR applies to every company that is established in the EU (The EU establishment may be a headquarter or a simple office) but it also applies to companies not established in the EU that:
- offer goods or services to data subjects in the Union (it can be through an e-commerce site, with prices in euros) ; or
It is also worth noting that, if you act as a processor for a controller established within the EU, GDPR applies to your company.
The EU representative
If your company is not established in the EU, you have to designate a “EU representative”. The EU representative accounts for the data controller or processor and acts as the point of contact in the EU, between the data controller or processor and the data subjects or the supervisory authority.
This designation can only be avoided in some particular cases:
- if the processing is occasional, and does not include, on a large scale, processing of special categories of data (listed in article 9 (1) of the GDPR) or processing of personal data relating to criminal convictions and offences (article 10 of the GDPR); or
- when the processing is being carried out by a public authority or body.
The Data Protection Officer (DPO)
Another key player in the GDPR compliance is the Data Protection Officer (DPO). His mission is to inform the company and providing some help in order to comply with the GDPR. The designation of the DPO should be made following different principles, enumerated in the GDPR. For example, the DPO must be independent.
The DPO must be designated in some particular cases, regardless whether the company has an establishment in the EU or not.
More precisely, you have to designate a DPO in these assumptions:
- you are a public authority (except for courts acting in their judicial capacity):
- your core activities require large scale, regular and systematic monitoring of individuals (i.e. online behaviour tracking); or
- your core activities consist of a large scale processing of special categories of data relating to criminal convictions and offences.
But you can appoint a DPO if you wish even if you are not required to. DPOs can help to demonstrate compliance with the GDPR.
The EU representative cannot be confounded with the DPO. Their roles are very different:
The DPO does not represent the company, he acts independently. While the EU representative represents the company, it is not independent.
Another important difference is that the DPO cannot be held personally responsible, while the EU representative can.
Consequently, if you are required to designate both of them, you should designate two different persons, as to avoid a conflict of interest.
van Eléonore Colson