When do you need a GDPR representative?
As a general rule, you need a EU GDPR representative if your organization processes personal data of people in the EU, Norway, Liechtenstein or Iceland, but is not located in these countries.
After Brexit a separate UK GDPR representative is needed if your organization processes personal data of people in the United Kingdom.
If you have an establishment in one of these countries, you don’t need to have a GDPR representative. This establishment can act as contact point. An establishment cannot be just a small one-person home office or a mailbox address. It must be a fixed place of business, such as an office, branch or factory.
For example, a UK company after Brexit without an establishment in the EU that sells products online to consumers in the EU has to comply, because it regularly collects personal data relating to sales of goods; if such a UK company uses a service provider to process payments or provide shopping cart functionality, the service provider can also be covered as a processor (see our data processor agreements page).
The EU GDPR representative is a point of contact for people and authorities in the EU, Norway, Liechtenstein or Iceland. The UK GDPR Representative services have the same function for UK inhabitants and authorities (i.e. the ICO).
There are exceptions to this rule: for example, a small web shop that does not process sensitive data does not need an EU or UK GDPR representative.
How to select a GDPR representative?
Your GDPR representative can be a person or an organization.
An GDPR representative needs to have specific skills and has potential liabilities. The GDPR representative acts on your behalf. Hiring an expert company with both legal, business and IT knowledge is usually the best choice.
Of course, your representative must have an in-depth knowledge of the GDPR. Excellent communications skills and knowing the culture of your European customers is also important, next to the right approach that fits your business. Some companies use a quick-and-easy automated approach, while others handle requests personally and engage in conversation with the customer.
Additionally, the representative can be approached by supervisory authorities and should be able to adequately answer them without leaving you in trouble. Look for companies that have experience with compliance and government oversight.
Where should the GDPR representative be located?
The EU GDPR representative should be located in the EU, Norway, Liechtenstein or Iceland (the European Economic Area).
The UK GDPR representative should be located in the United Kingdom.
You need both GDPR representatives when you process personal data of both the European Economic Area and UK inhabitants.
Ideally, your GDPR representative should be close to the customers in a country that you’re doing most business in. If you’re doing business in multiple EU countries, it’s best to choose one of them. In that case, an internationally and trade oriented country like the Netherlands can be a good choice.
How to appoint a GDPR representative?
After you have selected a good GDPR representative, you are ready to appoint him.
This is done using a GDPR representative agreement that defines the details and conditions of the service, as well as the protection and confidentiality of your data.
To represent you in the EU, Norway, Liechtenstein, Iceland and/or the UK, your GDPR representative needs information regarding your processing activities and your level of compliance with GDPR (see our GAP Analysis).
You must mandate him to be addressed by authorities and the persons you process personal data from, and work together to meet all expectations from the GDPR.
As the GDPR representative is your face to your customers with respect to privacy, you should consider this carefully.
Your first question is free of charge.