If you think that your company located outside the European Union is outside the scope of application of the General Data Protection Regulation (‘GDPR’), let us tell you that you may be wrong.
With the entry into force, in 2018, of the GDPR, a very important novelty was introduced which consists of its extraterritorial application in certain cases. In other words, the GDPR will apply to companies that, even if they are located outside the EU, are in one of the following cases:
- If you carry out processing derived from offering goods or services to European citizens.
- If the processing of personal data that you carry out, even outside the EU, involves monitoring or tracking the behaviour of individuals in the EU.
If you are in any of these cases, you must comply with the obligations set out in the GDPR in the same way as entities located in the EU.
In addition, in these cases, you should note that Article 27 of the GDPR provides that you must designate, in writing, a representative in the Union to one of the European supervisory authorities where you process personal data.
This appointment must therefore be formalised in writing and communicated to one of these authorities. For example, in the case of Spain, this process will be carried out through its Electronic Headquarters and through a fully online procedure, requiring the representative’s reliable identification by means of Cl@ve Mobile, DNIe or Spanish electronic certificate, EIDAS Key for European citizens, Cl@ve PIN or permanent Cl@ve.
What is the role of a representative in the EU?
The GDPR establishes that the role of the representative in the Union shall be to deal, on behalf of the representative or processor concerned, with enquiries, in particular from supervisory authorities and data subjects, on all matters relating to processing, in order to ensure compliance with the provisions of this Regulation.
As interpreted by the European Data Protection Board ( ‘EDPC’), ‘the representative in the Union acts on behalf of the controller or processor he or she represents in relation to the controller’s or processor’s obligations under the GDPR’. For example, ‘the identity and contact details of the representative must be provided to data subjects in accordance with Articles 13 and 14. While not being the data subject’s rights enforcer, the representative must facilitate communication between data subjects and the represented controller or processor, in order for the exercise of data subjects’ rights to be effective’.
This implies that there is a difference in the nature of the representative in the EU of a foreign company and a Data Protection Officer (‘DPO’) of a company, in that the representative will act on behalf of the controller or processor who has appointed him/her, whereas the DPO will not act on behalf of the controller or processor, being only a guarantor of the latter’s compliance and having a clear separation from the controller or processor.
In conclusion, appointing a representative in the EU when dealing with foreign entities to which the GDPR applies is mandatory, and failure to do so may result in large penalties, as we explained in our post on the consequences of breaching data protection regulations.
If you find yourself in this situation and you are looking for professionals who can act as your representative in the EU, Metricson ‘s team of lawyers has extensive international experience and knowledge of several languages, acting as DPOs and external representatives for companies around the world, such as the United States, LATAM or Asia.
If you would like more information about our services, you can send us a message to contacto@metricson.com or via our contact form on our website.
Article written by
Attorney – Privacy & IP
About Metricson
With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.
If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!