When do you need a GDPR representative?
As a general rule, you need a GDPR representative if your organization processes personal data of people in the EU, Norway, Liechtenstein or Iceland, but is not located in these countries.
If you have an establishment in one of these countries, you don’t need to have a GDPR representative. This establishment can act as contact point. An establishment cannot be just a small one-person home office or a mailbox address. It must be a fixed place of business, such as an office, branch or factory.
For example, a UK company after Brexit without an establishment in the EU that sells products online to consumers in the EU has to comply, because it regularly collects personal data relating to sales of goods; if such a UK company uses a service provider to process payments or provide shopping cart functionality, the service provider can also be covered as a processor (see our data processor agreements page).
The GDPR representative is a point of contact for people and authorities in the EU, Norway, Liechtenstein or Iceland. There are exceptions to this rule: for example, a small web shop that does not process sensitive data does not need an EU GDPR representative.
How to select a GDPR representative?
Your GDPR representative can be a person or an organization.
An GDPR representative needs to have specific skills and has potential liabilities. The GDPR representative acts on your behalf. Hiring an expert company with both legal, business and IT knowledge is usually the best choice.
Of course, your representative must have an in-depth knowledge of the GDPR. Excellent communications skills and knowing the culture of your European customers is also important, next to the right approach that fits your business. Some companies use a quick-and-easy automated approach, while others handle requests personally and engage in conversation with the customer.
Additionally, the representative can be approached by supervisory authorities and should be able to adequately answer them without leaving you in trouble. Look for companies that have experience with compliance and government oversight.
Where should the GDPR representative be located?
The representative should be located in the EU, Norway, Liechtenstein or Iceland (the European Economic Area).
This means that a GDPR representative in the United Kingdom is not possible after Brexit when the UK doesn’t join the European Economic Area (which is unlikely to happen on short notice).
Ideally, your GDPR representative should be close to the customers in a country that you’re doing most business in. If you’re doing business in multiple EU countries, it’s best to choose one of them. In that case, an internationally and trade oriented country like the Netherlands can be a good choice.
How to appoint a GDPR representative?
After you have selected a good GDPR representative, you are ready to appoint him.
This is done using a GDPR representative agreement that defines the details and conditions of the service, as well as the protection and confidentiality of your data.
To represent you in the EU, Norway, Liechtenstein or Iceland, your GDPR representative needs information regarding your processing activities and your level of compliance with GDPR (see our GAP Analysis).
You must mandate him to be addressed by authorities and the persons you process personal data from, and work together to meet all expectations from the GDPR.
As the GDPR representative is your face to your customers with respect to privacy, you should consider this carefully.
Your first question is free of charge.