Representative

GDPR: How Will ‘Representatives’ Work?

Even as a data protection novice, the GDPR makes sense to me. I get it. I may be partly wrong in some assumptions, but I am comfortable enough in my understanding of the intent of the Recitals and Articles to ask the right people the right questions.

All, that is, with the exception of Recital 80 / Article 27 – Representatives.

I understand the words, and think I even understand the intent, but I cannot even begin to fathom how it’s actually going to work in the real world. This blog is therefore aimed at those who do. I need your guidance please.

My English translation (i.e. not legalese) of Recital 80 is:

Any controller or processor not established in EU, but who:

1. offers goods or services (regardless of payment acceptance) to data subject in the EU; or
2. monitors the behaviour of data subjects within the boundaries of the EU.

…must designate a representative to act on their behalf who may be addressed by any supervisory authority. Unless the processing:

  • is occasional;
  • does not include processing on a large scale of special categories of personal data;
  • does not include processing of data relating to criminal convictions and offences;
  • is assessed as low risk; or
  • is performed by a public authority or body

Continue reading