In this blog, we demystify the GDPR’s extended jurisdiction for non-EU and non-UK businesses. You’ll discover practical guidance on compliance obligations and how to handle the complexities of cross-border data transfers. 

For the purposes of the blog, GDPR will refer to both the EU GDPR and the UK GDPR. Although the legislations are essentially similar, there are some differences due to the UK leaving the EU. 

Understanding the GDPR’s global reach 

The General Data Protection Regulation (GDPR) transformed global privacy standards, requiring even non-EU and non-UK businesses to comply if they process the personal data of EU and/or UK individuals.  This is known as extra-territorial scope, and it means that even if your company isn’t based in the EU or UK, you might still be subject to the GDPR’s rules if you serve or monitor EU or UK customers. 

For any business, understanding the GDPR’s jurisdictional reach is vital – not only to avoid penalties but also to build trust and confidence with customers. 

How to assess GDPR applicability for your business

Determining whether the GDPR applies to your business can seem daunting, especially for companies without any physical presence in the EU or UK. Here is an overview of how organizations in the EU/UK are impacted versus those operating outside these regions.

Are you a data controller or data processor under the GDPR?

Identifying whether your business is acting as a data controller or data processor under the GDPR is also essential, as this distinction will shape your compliance obligations and the specific responsibilities you have under the law. 

• Data controller: An entity (such as an organization) that determines the purposes and means of the processing of personal data 

• Data processor: A third-party processing personal data on behalf of a data controller 

For more detailed information, visit the European Data Protection Board (EDPB) website for the EDPB’s official guidance on data controllers and data processors. 

For UK guidance, the Information Commissioner’s Office (ICO) has similar UK GDPR guidance on controllers and processors. 

Key compliance responsibilities for non-EU/UK data controllers 

For data controllers that fall within the GDPR’s extra-territorial scope, there are several obligations to navigate, including ensuring compliance with all aspects of the GDPR. Controllers have broader and more direct responsibilities than processors, but these are the two most fundamental requirements: 

• Comply with the GDPR’s 7 principles – This is essential, not only for compliance but to build trust with customers 
• Appoint an EU/UK Representative – If your business doesn’t have an establishment in the EU/UK and you process the personal data of EU/UK individuals, you must appoint a Representative to ensure your organization can be contacted for data protection matters within the region, including Data Subject Access Requests (DSARs) 

Key compliance responsibilities for non-EU/UK data processors 

Under the GDPR, if your business acts as a data processor, you will have fewer responsibilities compared to data controllers, but you must still comply with certain GDPR requirements. These are some of the key obligations: 

• Comply with your Data Processing Agreement (DPA) – As a processor, you must follow the terms set out in your DPA (typically drafted by the controller), which includes your responsibilities around: 
  • Protecting personal data
  • Maintaining confidentiality
  • Implementing the appropriate measures to ensure data security
  • Data breach notifications
  • Compliance with GDPR and any other relevant data protection laws
• Appoint an EU/UK Representative – Similar to data controllers, if your business processes the personal data of EU/UK individuals, you must appoint an EU/UK Representative to act as your point of contact within that region for regulatory matters 

Managing data transfers under the GDPR

Understanding the privacy requirements for data transfers from the EU and UK to North America is another key component of the extra-territorial scope of the GDPR. Whether you are a data controller or a data processor, transferring personal data outside the European Economic Area (EEA)/UK requires careful attention to data protection to ensure compliance with GDPR standards. 

On January 15, 2024, the European Commission confirmed renewal of Canada’s adequacy status under the GDPR. This means that Canada’s data protection laws are deemed to offer an adequate level of protection for EU individual’s data. The UK has also awarded adequacy to Canada for Canadian commercial organizations to continue transferring personal data from the UK to Canada without the need for additional safeguards.  

However, it is still crucial for businesses to regularly review their data transfer mechanisms and privacy practices to ensure ongoing compliance. 

Essential compliance tips for businesses outside the EU

Achieving compliance with the GDPR can seem challenging but there are some initial practical steps you can follow to support your compliance journey: 

Conduct a data audit to understand what personal data is collected, where it is stored, and with whom it is shared. This will help you identify any gaps in compliance and areas for improvement. 

Implement robust data protection policies and procedures that establish clear data handling practices. 

Appoint a Data Privacy Officer (DPO) or other senior individual accountable for data protection matters to oversee compliance efforts.  

Summary

The GDPR’s reach extends beyond the EU and UK. This means that even if your business is based in Canada or the US, you may still need to comply with the GDPR if you process the personal data of EU/UK individuals or monitor their behaviour.  And knowing whether your business acts as a data controller or data processor is also essential for determining your specific obligations under the law. 

For North American businesses, compliance involves adhering to the GDPR’s core principles, appointing an EU/UK Representative, and ensuring safe cross-border transfers. By taking practical steps to ensure compliance, businesses can turn compliance into a competitive advantage and strengthen customer trust and reputation. 

The DPO Centre has one of the largest teams of specialist DPOs available and our EU/UK Representatives cover all 27 EU Member States and the UK – if your business would benefit from our support, please contact us and we can discuss your needs. 

____________________________________________________________________________________________________________

In case you missed it… 

• Privacy in Canada and USA: 2024 highlights and 2025 expectations 
• GDPR advice for SaaS companies entering EU & UK markets 
• Quebec’s Law 25: A guide to support privacy compliance 

____________________________________________________________________________________________________________

For more news and insights about data protection follow The DPO Centre on LinkedIn

The post How GDPR territorial scope impacts North American businesses appeared first on DPO Centre.

The European and UK markets offer significant growth opportunities for SaaS companies looking to expand beyond their home territories. With large and diverse consumer bases these regions are home to dynamic business sectors, both B2B (business-to-business) and B2C (business-to-consumer). 

• The European Commission’s 2023 Single Market Report estimates the total size of the EU consumer market is €8.6 trillion 

• The UK’s Office for National Statistics latest consumer trends estimates the UK consumer market is £1.8 trillion. 

However, successful expansion into the EU and UK requires more than just understanding local market dynamics and attracting customers. The need to comply with complex regulations can be a significant hurdle. This includes not only industry-specific regulations, such as those in the Life Sciences or Finance sectors, but also broad-reaching ones that encompass consumer privacy rights for all industries. 

As privacy legislation is constantly evolving, it is important that you stay updated with the latest guidelines and remember that data protection and privacy compliance is not a one-time task, but an ongoing commitment.  

Handling the personal data of EU and UK residents: Your responsibilities 

The fundamental purpose of the GDPR is to protect individuals’ privacy and data protection rights. 

What this means for SaaS platforms: 

If you process the personal data of EU and/or UK residents, you must comply with the GDPR’s 7 principles. 

EXAMPLE: A Canadian company provides a CRM platform for B2B companies. The company is expanding its business into the EU and UK markets and will be storing the personal data of EU and UK residents as part of the business function. Therefore, the company must be able to demonstrate compliance with the 7 principles of the GDPR. 

Establishing a lawful basis

Before any personal data can be collected, you need to confirm a lawful basis. This is essentially the legal justification for processing someone’s personal data. Under the GDPR, there are 6 lawful bases. 

The most appropriate lawful basis will depend on the specific purpose of the SaaS platform and can vary with the industry sector and type of processing. 

Example: An automated payroll SaaS platform might use legitimate interests to process personal data (such as employee bank details, tax identification numbers and names), in order to ensure timely payment of salaries. 

It’s important to make the right decision about your lawful basis from the start, as it’s difficult to swap to a different one later. 

GDPR guide for SaaS companies: The key documents you will need for compliance 

A vital part of demonstrating compliance with the GDPR is to have certain contracts, agreements and documents in place. 

Contracts and agreements provide clarity and certainty for both businesses and customers by setting out the specific terms and conditions of processing personal data. 

Here are some of the documents you should prepare, and some of the contracts you may need: 

Privacy policies and notices – These documents are important for ensuring transparency. They should include your company contact details, the types of personal data collected, how the data is collected and what it will be used for, the company’s lawful basis for processing, how long the data will be stored, and any details of transfers to third parties or international organizations. You must also include a notice with the right to withdraw consent if that is your lawful basis. 

Mandatory data processing clauses – These are required if you are outsourcing any data processing to a third party. If you are processing EU or UK data, you must ensure the mandatory data processing clauses are in place with any supplier that will have access to that data. These clauses are usually contained in a Data Processing Agreement (DPA), which sets out the responsibilities and obligations of each party. A DPA should include the purpose of the processing, the lawful basis, security measures, data subjects’ rights, and the duration of the agreement. Other factors may also be required, depending on the specifics of the processing. 

Data sharing agreement – This agreement is used when two or more parties agree to share personal data for specific reasons. It establishes the terms for data sharing and the responsibilities and roles of each party. For example, between a company and a service provider. There is no set format for this agreement, and the details will depend on the scale and complexity of the data sharing. Generally, this agreement includes the purpose of data sharing, the types of data to be shared, the responsibilities of each party, data security, and data protection compliance measures. 

Transfer Agreement (TA) – This is necessary if you plan to transfer personal data outside the EU or UK, even if it has been pseudonymised (i.e. coded data). A transfer agreement is required for most recipient countries and there are certain mechanisms you can use for exporting data (see the following section: Requirements for international data transfers) 

Records of Processing Activities (RoPA) – A RoPA is a document that serves as a central record or inventory of all data processing activities within the business. Although not exactly a contract or an agreement, it is a requirement of the GDPR to maintain records of processing activities. 

This list is by no means exhaustive, and there are other important documents you should have in place, including a data breach policy and a data retention policy. A data protection officer (DPO) will be able to advise you according to your business’s specific circumstances. 

And don’t forget a Data Protection Impact Assessment (DPIA)

A DPIA is a process used to analyse, identify, and minimise the data protection risks of a project or data processing activity. It’s an important tool in helping to achieve GDPR compliance. 

DPIAs are mandatory for any high-risk data processing activities, such as those involving special category data. 

Example: A SaaS platform offers a Healthcare Management system that processes personal data such as health records and genetic data. A DPIA would be required to as this type of data is considered sensitive and high-risk. In the event of a breach, the impact to individuals could be significantly higher than other types of data due to the sensitive nature of the information. 

But even when a DPIA isn’t explicitly required by the GDPR, it’s a beneficial process to undertake and can help you to identify and reduce your data protection risks. It also promotes a ‘privacy by design’ approach, embedding best-practice data protection processes into the business right from the start. 

Read more about privacy by design. 

Requirements for international data transfers   

The GDPR imposes strict restrictions on the transfer of personal data outside the European Economic Area (EEA) and the UK. If you are exporting personal data from these territories to other countries (known as ‘third countries’), there are mandated safeguards that must be in place. 

A few countries have been awarded what is called ‘adequacy’, which means their data protection laws are ‘essentially equivalent’ to those of the EU and/or UK and do not require the use of additional safeguards or permissions. This simplifies the process of international data transfers.  

European Commission’s latest adequacy decisions 

UK Information Commissioner’s Office adequacy regulations

Do you need a transfer impact assessment (TIA) or transfer risk assessment (TRA)? And what’s the difference?

A TIA and a TRA are similar types of data transfer risk assessment. TIAs are used for EU personal data transfers, and TRAs are the UK’s equivalent. 

EU transfer impact assessment (TIA) – You need to complete this for EU personal data transfers from the European Economic Area (EEA) to certain third countries when using these mechanisms: SCCs and BCRs. 

Also, organisations transferring UK personal data to third countries can choose to use a TIA. It may be the better option for transfers between the UK and EU. However, you need to check whether the personal data is being transferred within the scope of the EU GDPR or the UK GDPR and choose the most appropriate assessment. 

UK transfer risk assessment (TRA) – You need to complete this for ‘restricted transfers’ of personal data from the UK to certain countries outside the UK when using these mechanisms: SCCs with UK Addendum, UK BCRs, and IDTA. 

When is a TIA or TRA not required?

If a country has been awarded adequacy, a TIA or TRA is not required. 

Also, Article 49 of the GDPR provides several exceptions, called derogations, that allow for the transfer of personal data to third countries without the need for a TIA or a TRA. These derogations are for specific situations and are not intended to be used regularly or as a standard method of transfer. 

Here are a couple of examples of the most common derogations: 

• Explicit consent – the data subject has explicitly consented to the proposed transfer 
• Contract – the transfer is necessary for the fulfilment of a contract previously agreed between an organisation and a data subject 

Additional considerations for SaaS platforms in EU and UK markets

In addition to the GDPR, and depending on your business activities, you may also have to comply with EU and UK regulations specific to electronic marketing communications and online tracking. 

The EU’s ePrivacy Directive

This EU Directive was adopted nearly two decades ago, in 2002. Often referred to as the ‘cookie law’ (as it was the first piece of legislation to regulate the use of cookies and digital trackers), it also includes rules about marketing calls, emails, texts and faxes, and directory listings. Any businesses engaging in these marketing methods, or the digital tracking of EU customers, must comply with the ePrivacy Directive. 

Example: A FinTech company based in China provides an online platform for peer-to-peer lending. Wanting to expand into EU markets, the company has various advertising campaigns and tracks the digital behaviour of potential customers. Therefore, the company must comply with both the EU GDPR and the Privacy Directive. This means the company must ensure compliance with the 7 principles of the GDPR, safeguard the confidentiality of communications for its EU users, and comply with rules about tracking and monitoring. Any non-essential cookies on the website must have an opt-in choice.   

Note: At the time of writing, the European Parliament and the Council of the European Union are finalizing the negotiations on the proposed ePrivacy Regulation, which is set to replace the ePrivacy Directive. The new regulation proposes a broader scope with stricter rules for businesses, particularly those operating online. 

The UK’s Privacy and Electronic Communications Regulations (PECR)

This is the UK law derived from the ePrivacy Directive. PECR gives UK residents specific privacy rights regarding marketing calls, emails, texts, and faxes, cookies and similar technologies, and electronic communication security. 

Data Protection Officers (DPOs) 

The best way to achieve and maintain compliance with EU and UK data protection laws is to appoint a Data Protection Officer (DPO) 

DPOs have in-depth knowledge and experience of the various requirements your business needs for compliance with the GDPR and electronic communications laws. 

For some businesses, having a DPO is not only advisable but also a mandatory requirement. Article 37 of the GDPR states that a DPO is required if: 

• The data processing is carried out by a public authority or body 
• The core activities of the business involve the regular and systematic monitoring of data subjects on a large scale 
• The core activities of the business involve the processing on a large scale of special category data or personal data relating to criminal convictions and offences 

However, many businesses choose to appoint a DPO even when it isn’t a legal requirement. 

Outsourced Data Protection Officer (DPO) Services 

A DPO can not only help ensure compliance with EU and UK data protection laws, including advice on best practice with Data Subject Rights Requests (DSARs) and notification requirements, but also manage data protection risks and rights in relation to automated decision making. 

Fostering a data protection culture within your business is the best way to proactively maintain the trust of your customers and stakeholders, fortifying your reputation. 

EU and UK GDPR Representatives

All businesses that fall under the scope of the GDPR and do not have a physical presence within the EU or UK must appoint a GDPR Representative. If you are looking to expand into both markets, you will need a UK GDPR Representative AND an EU GDPR Representative. 

A GDPR Representative acts as point of contact for supervisory authorities such as the Information Commissioner’s Office (ICO) in the UK, the Commission Nationale de l’Informatique et des Libertés (CNIL) in France, or the Autoriteit Persoonsgegevens in the Netherlands. 

GDPR Representatives are also the point of contact for data subjects wishing to exercise their rights under the GDPR. These rights include the right to access their personal data, the right to correct inaccurate data, the right to erasure, the right to restrict processing, the right to data portability, and the right to object to processing. 

See here for additional information: 

GDPR Representative: Do you need one? 

GDPR Representative Service 

GDPR guide for SaaS companies: Summary

Businesses planning on entering EU and UK markets must comply with the local data protection laws, including the EU GDPR, the UK GDPR, the ePrivacy Directive, and PECR. 

Maintaining a strong reputation for data protection also builds trust with customers and stakeholders, which is an essential foundation for commercial success. 

The best way to achieve and maintain compliance is to appoint a Data Protection Officer (DPO) with the expertise and knowledge to help you navigate the myriad of regulations and requirements. They can help you draft the necessary contracts and agreements you will need, as well as manage international data transfers, and keep you up to date on any jurisdictional changes.

____________________________________________________________________________________________________________

In case you missed it… 

• Canadian privacy laws: PIPEDA and beyond 
• Quebec’s Law 25: A guide to support privacy compliance 
• International data transfers: Explaining EU SCCs, UK Addendum and UK ITDA 

____________________________________________________________________________________________________________

For more news and insights about data protection follow The DPO Centre on LinkedIn

The post GDPR guide for SaaS companies expanding into EU & UK markets  appeared first on DPO Centre.

The General Data Protection Regulation (GDPR) specifies that organisations located outside the EU, without an establishment in the region, must designate a Representative if processing the personal data of EU residents. The UK GDPR has the same requisite for organisations processing the personal data of UK residents.  

This is a requirement for both data controllers and processors.  

A controller is defined as a person or organisation that determines the means and purpose of processing personal data. A processor is a person or organisation that processes personal data only under the instructions of the controller. 

In this blog, we help you understand whether your organisation needs an EU or UK GDPR Representative, or possibly both. Whether you are a data controller or processor, we answer some of the key questions frequently asked by businesses across the spectrum of industry sectors and sizes. 

Question 1: What is a GDPR Representative? 

A GDPR Representative is a person or organisation appointed to represent a controller or processor that handles the personal data of EU or UK residents and is located outside those territories. 

There are two types of GDPR Representatives: 

EU GDPR Representative: Required if you are a data controller or processor located outside the EU and offer goods or services to, or monitor the behaviour of, EU residents. 

UK GDPR Representative: Required if you are a data controller or processor located outside the UK and offer goods or services to, or monitor the behaviour of, UK residents. 

Representatives act as a point of contact for EU and UK-based individuals who want to exercise their data subject rights, and regulatory authorities that have queries about the data processing activities. 

EXAMPLE: If an individual living in the EU wants to know what personal data a company in the US has stored about them (a right known as a Data Subject Access Request or DSAR), they would contact the company’s EU GDPR representative. The Representative would action this request and make sure the individual receives the information they are entitled to under data protection laws. 

Question 2: Is our type of processing and volume of data considered occasional? If so, do we need a GDPR Representative? 

This will depend on each individual situation, whether the type of processing and volume of data is deemed ‘occasional’, and whether an organisation is offering goods or services to EU or UK residents. 

Generally, if data processing is occasional, and of low risk to the data protection rights of individuals and does not involve the large-scale use of special category or criminal offense data, you will not need to appoint a GDPR Representative. 

EXAMPLE 1: A US medical device company sells goods to US customers. The company does not currently have any marketing activities within EU markets. However, they have acquired single EU customer. The personal data processing for this single customer would be deemed occasional as it is a one-off and will not occur on a regular basis, or only on a limited scale. In this situation, the company would not need an EU GDPR Representative. 

EXAMPLE 2: A Canadian tech company sells software predominantly to North American customers and is expanding the business by advertising to EU and UK markets. The volume of EU and UK personal data processing is low, compared to the rest of the business. However, the company is specifically targeting EU and UK residents and offering goods and services as part of the business function. The company here would require both an EU and UK GDPR Representative. 

It is important to note that even occasional processing of EU or UK personal data must still comply with the GDPR. This includes having a lawful basis for processing personal data and taking appropriate data security measures. 

Question 3: Do we still need a GDPR Representative if we pseudonymise our data? 

Pseudonymisation is a useful security technique to make it more difficult to identify individuals. 

Pseudonymised data, sometimes known as coded data, is personal data that has been changed to prevent easy identification of a person without additional information. For example, names are replaced with aliases, addresses for regions, dates of birth with age ranges, etc. However, not all of these alterations need to be completed for data to be considered pseudonymised, and it will depend on the specific database. Any data that can relate to a particular individual should be altered if needed. 

EXAMPLE: A life sciences organisation in the US is a sponsor for a clinical trial in the EU. The trial participants’ data are pseudonymised for safeguarding and security. As EU residents’ personal data is being processed, the sponsor must comply with the GDPR. Under the GDPR, pseudonymisation does not change the status of personal data as it remains ‘indirectly identifiable’. 

Therefore, as the trial is designed specifically for EU participant data, and the data will be processed outside the EU, the organisation must appoint an EU GDPR Representative, unless they have an appropriate establishment within the EU. Even if the organisation has a data protection officer (DPO), they will still need a GDPR Representative, as the roles hold different functions (as explained later, in question 7).
 

Question 4: Our organisation processes both EU and UK personal data. Do we need both an EU and UK GDPR Representative? 

If your organisation processes both EU and UK personal data and does not have a branch, office or other establishment in any EU, EEA or UK region, you may need to appoint both an EU and a UK GDPR Representative. 

EXAMPLE: A lead generation company in Singapore targets EU and UK residents with a number of digital marketing campaigns. They collect, use and process various types of personal data including names, emails, phone numbers and addresses. As the company does not have a suitable establishment within either the EU or the UK, to comply with the GDPR, they would need to appoint both an EU and UK GDPR Representative as a point of contact. 

It is important to note that as the UK has completely separated from the EU, it is considered a different jurisdiction for data processing. 

UK organisations without an office or branch in the EU that process EU residents’ personal data will need to appoint an EU GDPR Representative. Likewise, EU organisations that do not have an office or branch in the UK and process UK residents’ data need to appoint a UK GDPR Representative. 

Question 5: Our company is a small, family-run organisation. How do we find out if we need a GDPR Representative? 

The main qualifying factor for the requirement of a GDPR Representative is whether the company processes the personal data of EU or UK residents and is located outside these areas. 

Other factors include the type of processing, the volume of data and whether it is considered large scale. The size of the company is not of primary importance, but the volume and type of data processing are. 

There isn’t a specific volume of data that triggers the need for a GDPR Representative, rather the volume relative to the size of the normal amount of processing. This can vary, depending on the industry sector. 

EXAMPLE: A small tech company in China sells various apps to their main customer base in the UK. They want to enter the EU market and have several online marketing campaigns to attract more customers. The company processes names, addresses, and payment information. As an exercise app, it also captures and stores health information. The company does not have an office or branch in either the EU or UK, but they currently have a UK GDPR Representative. They will now also need to appoint an EU GDPR Representative to act as a point of contact for EU authorities and customers. 

Special category data considerations: 

Special category data refers to a particular type of personal data that is considered more sensitive and requires higher levels of protection.

It is important to note that when it comes to handling special category data, like health records or clinical trial information, it is often necessary to appoint a GDPR Representative. This is usually because the processing involves large amounts of sensitive information.

However, according to Article 27 (2)(a) of the GDPR, if a non-EU/UK company processes EU/UK residents’ personal data infrequently, and this processing does not involve large volumes of sensitive data and is unlikely to pose a risk to the rights and freedoms of individuals, then the company is not obliged to appoint a GDPR Representative. This provision is significant for smaller or less data-intensive non-EU/UK organisations, as it reduces their compliance burden under the GDPR. 

Question 6: We engage a third-party company to handle some of our data processing activities that involve EU residents. Do we each need to appoint an EU GDPR Representative? 

Controllers and processors need to appoint a GDPR Representative if they are located outside these regions and process the personal data of EU or UK residents. 

If both the controller and processor are located outside the EU or UK, they will both need to appoint a suitable GDPR Representative.   

EXAMPLE: A tech company in the US provides data analysis for another US tech company, who sells marketing services to an insurance company in the Netherlands. Both tech companies are processing the data of EU residents. Therefore, under the GDPR, both companies will need to appoint an EU GDPR Representative. As the insurance company is based in the EU, they do not need to appoint one.  

It is important to note that a mechanism such as standard contractual clauses (SCCs) is required for international data transfers between controllers and processors, along with the necessary transfer risk assessment (TRA) or transfer impact assessment (TIA). 

Read about SCCs for data transfers 

Question 7: How does a GDPR Representative work with a data protection officer (DPO)? 

A GDPR Representative and Data Protection Officer (DPO) have distinct roles. 

Data protection officers work internally within organisations to inform, advise and monitor compliance with the GDPR. 

GDPR Representatives act on behalf of companies not based in the EU or UK and facilitate external communications as required. They are the official point of contact for data subjects and supervisory authorities and should communicate in the language of the request. 

The two roles can collaborate to ensure that data protection practices are effective and aligned with regulatory requirements. 

EXAMPLE: A UK-based insurance company sells products to customers in the UK and EU. The company has a DPO and an EU GDPR Representative. The DPO is responsible for monitoring and managing compliance with UK GDPR and EU GDPR, advising on data protection obligations and acting as a point of contact for UK data subjects and the UK’s Information Commissioner’s Office (ICO).  The EU GDPR Representative is the local point of contact for EU data subjects and each of the EU supervisory authorities. They handle any inquiries or complaints from EU customers and EU data protection authorities, and relay these to the DPO, liaising as required.  The DPO advises the company on how to handle any EU inquiries to ensure compliance with EU GDPR. The two roles are distinct and separate, although they work together when needed to ensure the company is compliant when processing EU personal data and no conflict of interest is created. 

In this example, the company has both a DPO and a GDPR Representative. For companies that do not have a DPO, the GDPR Representative would relay any inquiries or complaints from customers and data protection authorities directly to the company. 

Summary 

A GDPR Representative acts as a point of contact for data subjects and data protection authorities. There are two types – an EU GDPR Representative and a UK GDPR Representative. 

The requirement for an EU or UK GDPR Representative is the same for both data controllers and data processors that handle the personal data of EU or UK residents, respectively, and does not depend upon the size of the organisation, but more the volume of data processing. 

To summarise, a GDPR Representative will be required if: 

• An organisation is located outside the EU/UK, and does not have a local office 
• The personal data of EU or UK residents is being collected, stored or processed 
• The data processing is not occasional and is part of the business function 
• The data processing is related to the provision of goods or services, regardless of whether a payment is made 
• The data processing is related to the monitoring of behaviour of EU/UK residents 
• An organisation processes any special category data, even occasionally 

If your business is based outside the EU and you process the data of EU residents, you will need an EU GDPR Representative, unless you have a local establishment. The same applies if your business is based outside the UK and you process UK residents’ data – you will need a UK GDPR Representative. 

The DPO Centre can help with both EU and UK GDPR Representation

• Offices in Dublin and all 27 EU member states, as well as the UK
• The necessary ‘establishment’ details in the UK or any EU member-state to publish on your EU/UK facing privacy notice
• Access to one of the largest teams of experienced data protection professionals 
• Specialist advice line, providing assistance, recommended actions, and appropriate responses 
• Highly cost-effective solution 

We have worked with over 800 clients globally across the spectrum of industry sectors, supporting their data protection compliance and bringing peace of mind. 

The post GDPR Representative: Do you need one? appeared first on DPO Centre.