Frequently Asked Questions
My company is located in the EU, do I need a Representative?
No. Pursuant to Article 27 of the GDPR, the obligation to appoint a GDPR Representative only concerns companies located outside the EU processing personal data from EU residents.
If you are concerned by the scope of Article 27, appointing a GDPR Representative is quite an easy process. Click here for further details.
What is the difference between a DPO and a Representative?
There is one key difference between the two: the Art. 27 Representative serves to establish a physical point of contact for regulatory authorities on EU soil when a company is located outside the Union, whereas the DPO has to be designated regardless of the company’s physical location when conditions for DPO-designation apply.
Also, whereas the DPO will try and infuse a culture of data-protection within the company, the Representative is here mainly to ensure that there is effective communication with EU data subjects and data protection authorities.
If I have a DPO, do I also need a Representative?
It depends. If you have a DPO and if you are located outside the EU, chances are that you will fall under the scope of Article 27 and will need a representative. However, the opposite may not be true (the necessity to appoint a representative does not entail the obligation to appoint a DPO).
Do I need to be represented in multiple EU states?
As of now, if your company is processing data from more than one EU member state resident, you have the possibility to choose the country in which your representative will be located.
What are the tasks and responsibilities of an EU representative under Article 27?
Article 27 Representatives are mandated by a data controller or processor to act on their behalf in front of any supervisory authority or data subjects “on all issues related to processing, for the purposes of ensuring compliance” with the GDPR (Article 27(4) GDPR).
Article 27 Representatives act as intermediaries to ensure effective communication between EU data subjects, companies and data protection authorities. Should you need to hold a record of processing activities (Article 30, GDPR), it will be the representative’s role to make such records available to the supervisory authorities upon request.
How do I appoint SYBIL as my EU-representative?
Step One: Get in touch with us either through our website, by email or by phone (whichever suits your needs). We will discuss together your current needs for compliance with respect to the GDPR representation.
Step Two: Once we have established your needs, our team will guide you through our straightforward and easy-to-use onboarding process.
Step Three: Once you have completed the onboarding process, SYBIL will be your representative in the EU!
What are the risks for non-compliance?
There are multiple risks associated with non-compliance to the GDPR.
- As indicated in the legislation, non-compliant companies can be subjected to administrative fines go up to 4% of annual worldwide turnover or €20,000,000. However, as far as the EU Representation is concerned, fines could go up to 2% of the annual worldwide turnover or €10,000,000, whichever is higher (Article 83(4)(a), GDPR).
- National Data Protection Authorities are likely to ask to immediately stop all non-compliant activities, resulting in loss of business.
- Non-compliance can affect your reputation and growth opportunities in the EU
What are the exemptions from the obligation to appoint an EU representative?
Pursuant to Article 27 of the GDPR, you are not required to appoint a GDPR Representative if your personal data processing is occasional, does not represent a risk to the rights and freedoms of data subjects and does not include large-scale processing of special categories of personal data.
Once I have designated your GDPR Article 27 Representative, am I GDPR compliant?
The designation of a representative does not exempt you from other compliance duties under the GDPR. In particular the European Data Protection Board did specify that “it is the controller or the processor who is required to ensure and to be able to demonstrate that processing is performed in accordance with [the] Regulation. Data protection compliance is the responsibility of the controller or the processor”.
Terms and Definitions
According to the GDPR, the consent of the data subject is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. (Article 4, GDPR)
“Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State;
Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State”.(Article 4, GDPR)
Data Protection Officer (DPO):
A Data Protection Officer is a legal role assumed by a qualified person or company under the GDPR.
The DPO should not be subjected to conflicts of interest related to his work within the organization. They are responsible for working towards compliance within organizations. (Article 37, GDPR)
Data Protection Authority (DPA):
A Data Protection Authority is an independent entity within an EU country that “supervises, through investigative and corrective powers, the application of the data protection law.”. (ec.europe.eu)
There is only one DPA in each EU Member State. To find yours, please visit the European Commission website.
“[…]an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. (Article 4, GDPR)
“The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.” (Article 4, GDPR)
A Data Processor is a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. (Article 4, GDPR)
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“. (Article 4, GDPR)
Privacy by Design:
Privacy by design is a mechanism through which the privacy of data subject’s data is determined by the inherent design of the technology and therefore deliberately ensured by it.
Privacy by Default:
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only the necessary and specific data are processed.
“Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” (Article 4, GDPR)
Right of Access:
The right of access is the foundational basis that allows the data subject to exercise further its right and freedoms under the GDPR. More specifically:
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.” (Article 12, GDPR)
Right to Erasure («Right to be forgotten»):
The data subject shall have the right to obtain from the data controller the erasure of his/her personal data without undue delay. The controller shall have the obligation to erase the personal data without undue delay […]. (Article 17, GDPR)
Record of processing activities:
Record of processing activities should be written documentations and should overview procedures by which personal data are processed. Records of processing activities must include significant information about data processing. More details in Article 30, GDPR.
The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
Data Controllers or Processors should mandate an EU representative to address, with the data processor or controller, or in their place, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.(Article 27, GDPR)