Even as a data protection novice, the GDPR makes sense to me. I get it. I may be partly wrong in some assumptions, but I am comfortable enough in my understanding of the intent of the Recitals and Articles to ask the right people the right questions.
All, that is, with the exception of Recital 80 / Article 27 – Representatives.
I understand the words, and think I even understand the intent, but I cannot even begin to fathom how it’s actually going to work in the real world. This blog is therefore aimed at those who do. I need your guidance please.
My English translation (i.e. not legalese) of Recital 80 is:
Any controller or processor not established in EU, but who:
1. offers goods or services (regardless of payment acceptance) to data subject in the EU; or
2. monitors the behaviour of data subjects within the boundaries of the EU.
…must designate a representative to act on their behalf who may be addressed by any supervisory authority. Unless the processing:
- is occasional;
- does not include processing on a large scale of special categories of personal data;
- does not include processing of data relating to criminal convictions and offences;
- is assessed as low risk; or
- is performed by a public authority or body
The representative must be under a written mandate from the controller or processor to officially act on its behalf, as well as perform its services in full compliance with this Regulation, including cooperating directly with supervisory authorities.
The designated representative is subject to enforcement proceedings, however, the controller or processor is still fully liable as well.
So, if you accept that ‘occasional’ is much the same as ‘not part of an established and ongoing process’, then anyone doing business with the EU on a regular basis is pretty much in scope for the requirement.