Guidelines 03/2018 on Territorial Scope of Article 3 GDPR
SECTION 4 REPRESENTATIVE OF CONTROLLERS OR PROCESSORS NOT ESTABLISHED IN THE UNION
Data controllers or processors subject to the GDPR as per its Article 3(2) are under the obligation to designate a representative in the Union. A controller or processor not established in the Union but subject to the GDPR failing to designate a representative in the Union would therefore be in breach of the Regulation.
This provision is not entirely new since Directive 95/46/EC already provided for a similar obligation. Under the Directive, this provision concerned controllers not established on Community territory that, for purposes of processing personal data, made use of equipment, automated or otherwise, situated on the territory of a Member State. The GDPR imposes an obligation to designate a representative in the Union to any controller or processor falling under the scope of Article 3(2), unless they meet the exemption criteria as per Article 27(2). In order to facilitate the application of this specific provision, the EDPB deems it necessary to provide further guidance on the designation process, establishment obligations and responsibilities of the representative in the Union as per Article 27.
It is worth noting that a controller or processor not established in the Union who has designated in writing a representative in the Union, in accordance with article 27 of the GDPR, does not fall within the scope of article 3(1), meaning that the presence of the representative within the Union does not constitute an “establishment” of a controller or processor by virtue of article 3(1).
a) Designation of a representative
Recital 80 clarifies that “[t]he representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.”
The written mandate referred to in Recital 80 shall therefore govern the relations and obligations between the representative in the Union and the data controller or processor established outside the Union, while not affecting the responsibility or liability of the controller or processor. The representative in the Union may be a natural or a legal person established in the Union able to represent a data controller or processor established outside the Union with regard to their respective obligations under the GDPR.
In practice, the function of representative in the Union can be exercised based on a service contract concluded with an individual or an organisation, and can therefore be assumed by a wide range of commercial and non-commercial entities, such as law firms, consultancies, private companies, etc… provided that such entities are established in the Union. One representative can also act on behalf of several non – EU controllers and processors.
When the function of representative is assumed by a company or any other type of organisation, it is recommended that a single individual be assigned as a lead contact and person “in charge” for each controller or processor represented. It would generally also be useful to specify these points in the service contract.
In line with the GDPR, the EDPB confirms that, when several processing activities of a controller or processor fall within the scope of Article 3(2) GDPR (and none of the exceptions of Article 27(2) GDPR apply), that controller or processor is not expected to designate several representatives for each separate processing activity falling within the scope of article 3(2). The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union. Article 38(3) establishes some basic guarantees to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. In particular, controllers or processors are required to ensure that the DPO “does not receive any instructions regarding the exercise of [his or her] tasks”. Recital 97 adds that DPOs, “whether or not they are an employee of the controller, should be in a position to perform their duties and tasks inan independent manner”. Such requirement for a sufficient degree of autonomy and independence of a data protection officer does not appear to be compatible with the function of representative in the Union. The representative is indeed subject to a mandate by a controller or processor and will be acting on its behalf and therefore under its direct instruction. The representative is mandated by the controller or processor it represents, and therefore acting on its behalf in exercising its task, and such a role cannot be compatible with the carrying out of duties and tasks of the data protection officer in an independent manner.
Furthermore, and to complement its interpretation, the EDPB recalls the position already taken by the WP29 stressing that “a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues”
Similarly, given the possible conflict of obligation and interests in cases of enforcement proceedings, the EDPB does not consider the function of a data controller representative in the Union as compatible with the role of data processor for that same data controller, in particular when it comes to compliance with their respective responsibilities and compliance.
While the GDPR does not impose any obligation on the data controller or the representative itself to notify the designation of the latter to a supervisory authority, the EDPB recalls that, in accordance with Articles 13(1)a and 14(1)a, as part of their information obligations, controllers shall provide data subjects information as to the identity of their representative in the Union. This information shall for example be included in the [privacy notice and] upfront information provided to data subjects at the moment of data collection. A controller not established in the Union but falling under Article 3(2) and failing to inform data subjects who are in the Union of the identity of its representative would be in breach of its transparency obligations as per the GDPR. Such information should furthermore be easily accessible to supervisory authorities in order to facilitate the establishment of a contact for cooperation needs.
Example 24: The website referred to in example 12 (see section 2), based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the France, Benelux countries and Germany. This website being subject to the GDPR, as per its Article 3(2)(a), the data controller must designate a representative in the Union.
The representative must be established in one of the Member States where the service offered is available, in this case either in France, Belgium, Netherlands, Luxembourg or Germany. The name and contact details of the data controller and its representative in the Union must be part of the information made available online to data subjects once they start using the service by creating their photo album. It must also appear in the website general privacy notice.
b) Exemptions from the designation obligation
While the application of Article 3(2) triggers the obligation to designate a representative in the Union for controllers or processors established outside the Union, Article 27(2) foresees derogation from the mandatory designation of a representative in theUnion, in two distinct cases:
1 processing is “occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10”, and such processing “is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing”.
In line with positions taken previously by the Article 29 Working Party, the EPDB considers that a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor.
Furthermore, while the GDPR does not define what constitutes large-scale processing, the WP29 has previously recommended in its guidelines WP243 on data protection officers (DPOs) that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale: – the number of data subjects concerned – either as a specific number or as a proportion of the relevant population; – the volume of data and/or the range of different data items being processed; – the duration, or permanence, of the data processing activity; – the geographical extent of the processing activity
Finally, the EDPB highlights that the exemption from the designation obligation as per Article 27 refers to processing “unlikely to result in a risk to the rights and freedoms of natural persons”, thus not limiting the exemption to processing unlikely to result in a high risk to the rights and freedoms of data subjects. In line with Recital 75,when assessing the risk to the rights and freedom of data subjects, considerations should be given to both the likelihood and severity of the risk.
2 processing is carried out “by a public authority or body”.
The qualification as a “public authority or body” for an entity established outside the Union will need to be assessed by supervisory authorities in concreto and on a case by case basis. The EDPB notes that, given the nature of their tasks and missions, cases where a public authority or body in a third country would be offering goods or services to data subject in the Union, or would monitor their behaviour taking place within the Union, are likely tobe limited.
c) Establishment in one of the Member States where the data subjects whose personal data are processed
Article 27(3) foresees that “the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are”. In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice, that the representative is established in that same Member State. However, the representative must remain easily accessible for data subjects in Member States where it is not established and where the services or goods are being offered or where the behaviour is being monitored.
The EDPB confirms that the criterion for the establishment of the representative in the Union is the location of data subjects whose personal data are being processed. The place of processing, even by a processor established in another Member State, is here not a relevant factor for determining the location of the establishment of the representative.
Example 25: An Indian pharmaceutical company, with neither business presence nor establishment in the Union and subject to the GDPR as per Article 3(2), sponsors clinical trials carried out by investigators (hospitals) in Belgium, Luxembourg and the Netherlands. The majority of patients participating to the clinical trials are situated in Belgium.
The Indian pharmaceutical company, as a data controller, shall designate a representative in the Union established in one of the three Member States where patients, as data subjects, are participating in the clinical trial (Belgium, Luxembourg or the Netherlands). Since most patients are Belgian residents, it is recommended that the representative is established in Belgium. Should this be the case, the representative in Belgium should however be easily accessible to data subjects and supervisory authorities in the Netherlands and Luxembourg.
In this specific case, the representative in the Union could be the legal representative of the sponsor in the Union, as per Article 74 of Regulation (EU) 536/2014 on clinical trials, provided that it does not act as a data processor on behalf of the clinical trial sponsor, that it is established in one of the three Member States, and that both functions are governed by and exercised in compliance with each legal framework.