While the General Data Protection Regulation (GDPR) has been incredibly clear on a number of requirements, a certain element of mystery remains around the role of the EU Representative and its connection, if any, to the responsibilities of the Data Protection Officer (DPO). Because the two ultimately seek to safeguard data subjects’ personal data, they are sometimes lumped together, but the reality is they have very different parts to play within an organization.
Companies based in the EU must designate a Data Protection Officer or DPO team. Organizations that do not have a physical presence in the EU but handle EU citizens’ and residents’ data are required to appoint an EU Representative.
As May 25 approaches, many organizations are concerned with the steps they must take to ensure that they are aligned with all the GDPR’s requirements, especially those around DPOs and EU Representatives. This blog post focuses on some of the questions we hear regarding the appointment of a DPO and/or an EU Representative:
DPOs and EU representatives have significantly different job roles. In fact, they’re so different that assigning one person to do these two jobs could actually result in a problematic conflict of interest, which we’ll touch on more momentarily. Right now, here’s a look at the basic functions of each role:
The DPO has an obligation to the organization to support and enable their efforts to maintain compliance with the GDPR. Provisions in the GDPR also protect the DPO from being held liable for any legal action that might be taken by Data Protection Authorities (DPAs) or data subjects.
EU Representatives serve as a point of contact between EU authorities and data subjects and the organization. As the title implies, EU Representatives must be established in the EU and must be based in one of the Member States where the organization’s data subjects reside to keep clear channels of communication open.
While the DPO supports the organization in its GDPR compliance efforts, the EU Representative serves as a direct point of contact for data subjects and DPAs.
Companies can designate an EU Representative to serve as the sole point of contact between EU authorities (DPAs) and data subjects and the data controller.
The primary tasks of an EU representative are: (1) responding to any inquiries DPAs or data subjects may have concerning data processing; (2) receiving legal documents for the company as an authorized agent and maintaining records of processing activities; (3) making data processing records accessible to supervising authorities when requested; and (4) being subject to enforcement proceedings in the event of company’s non-compliance with the regulation. Companies with concerns about how the EU Representative role may affect their organization should know they can decide the scope of a Representative’s role and authority during the contractual process of delegating a Representative.
Article 27 of the GDPR states that an EU Representative is a requirement for all non-European companies that handle EU data subjects’ information but do not have a physical presence in any of the Member States that make up the EU. However, non-European companies with legal entities or subsidiaries in an EU member state(s) are not required to appoint an EU Representative. Although an EU Representative is not necessary in this scenario, it is important for these companies to understand that the DPAs will address any inquiries and compliance issues directly with the organization’s leadership team if there is no Representative.
For non-European companies with legal entities in the EU, a possible solution may be to appoint a DPO or hire a privacy professional to support compliance efforts (even though they are not obligated to do so under the Regulation). For these companies, a DPO may be more needed than a Representative because the company will likely have to meet more GDPR requirements, resulting in more responsibilities than an EU Representative could fulfill.
In addition, appointing a DPO may prove easier than finding a willing individual to fulfill the EU Representative position, due to the possible legal implications. Individuals accepting the EU Representative position must be aware that they may be held legally responsible for any related breaches or instances of non-compliance and may be subject to legal action, including the heavy fines and penalties of the Regulation. DPOs, however, are protected from any legal action by the DPAs.
The Irish Office of the Data Protection Commissioner (DPC) is the only government entity that has attempted to answer this question due to the lack of clarity provided by the GDPR. The DPC states that although there is nothing prohibiting an individual from filling both roles, it would be the organization’s responsibility to ensure that a DPO does not take on tasks that may result in a conflict of interest. Within their response, the DPC made it clear that they believed a conflict of interest between the two roles would likely arise, especially around the issue of confidentiality. An EU Representative serves as a liaison between an organization and its data subjects and the DPA; however, a DPO playing both roles may feel conflicted when they receive certain concerns from data subjects or the DPA, as they have an obligation to facilitate the organization’s compliance with the GDPR.
Because the GDPR is unclear about the interplay between the DPO and the EU Representative, it will probably benefit most companies to keep the two roles separate, avoiding potential conflicts of interest and any compliance issues that may arise. Each has an important role to play in the world of data privacy, with a long list of responsibilities best taken on by one individual, focused exclusively on those tasks.
Focal Point offers specialized DPO services, covering key functions like data subject access requests. Request a meeting with one of our GDPR experts today to learn more about this offering.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.