GDPR EU Representative for your organisation

Work out whether your organisation needs a GDPR EU representative and if yes, take steps to appoint them. The General Data Protection Regulation (GDPR) is Europe’s umbrella data protection law and it has far-reaching application. It applies to more organisations than you may have thought and requires controllers or processors not established in the EU (extraterritorial controllers or processors) to appoint a GDPR EU representative under certain circumstances. Let’s discuss how to work out whether your organisation needs a GDPR EU representative.

The GDPR says that a controller or processor not established in the EU who is processing EU data subjects’ personal data must designate a GDPR EU representative in the EU in writing, provided that the processing activities relate to:

offering goods or services to EU data subjects (irrespective of whether the data subject pays for those goods or services); or
monitoring EU data subject behaviour (as far as their behaviour takes place within the EU);

unless:

their processing activities are low risk because they are occasional, do not include large-scale processing of special personal or criminal data and are unlikely to threaten peoples’ rights or freedoms (taking into account the nature, context, scope and purposes of those activities); or
they are a public institution.

The controller or processor designating a GDPR EU representative must choose a representative established in a country in the EU where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.

But, you might ask questions like:

Is your organisation expected to appoint a different representative for each processing activity or are you allowed to appoint one for all of them?
Can the representative also be your Data Protection Officer (DPO)?
What constitutes occasional processing activities?

You’ll find answers to these questions in European Data Protection Board’s final guidelines for the GDPR’s extraterritorial application.

Next steps

We can help you:

work out whether your organisation needs a GDPR EU representative;
determine who your it should be; and
actually appoint the person.

If you’re interested, please enquire now.

GDPR EU Representative for your organisation

How to work out whether your organisation needs a GDPR EU Representative

Next steps

Share This Story, Choose Your Platform!

Related Posts

NCC opt-out registry is a crisis for marketers

Gated Access Code of Conduct under POPIA

Standard Bank | Data breach

OUTsurance enforcement action | Direct live call marketing

Does POPIA apply to journalists? Generally, no.