Even as a data protection novice, the GDPR makes sense to me. I get it. I may be partly wrong in some assumptions, but I am comfortable enough in my understanding of the intent of the Recitals and Articles to ask the right people the right questions.
All, that is, with the exception of Recital 80 / Article 27 – Representatives.
I understand the words, and think I even understand the intent, but I cannot even begin to fathom how it’s actually going to work in the real world. This blog is therefore aimed at those who do. I need your guidance please.
My English translation (i.e. not legalese) of Recital 80 is:
Any controller or processor not established in EU, but who:
1. offers goods or services (regardless of payment acceptance) to data subject in the EU; or
2. monitors the behaviour of data subjects within the boundaries of the EU.
…must designate a representative to act on their behalf who may be addressed by any supervisory authority. Unless the processing:
- is occasional;
- does not include processing on a large scale of special categories of personal data;
- does not include processing of data relating to criminal convictions and offences;
- is assessed as low risk; or
- is performed by a public authority or body
The representative must be under a written mandate from the controller or processor to officially act on its behalf, as well as perform its services in full compliance with this Regulation, including cooperating directly with supervisory authorities.
The designated representative is subject to enforcement proceedings, however, the controller or processor is still fully liable as well.
So, if you accept that ‘occasional’ is much the same as ‘not part of an established and ongoing process’, then anyone doing business with the EU on a regular basis is pretty much in scope for the requirement.
All that is fine until you get to the last line (as written in the GDPR); “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.“
I don’t know about you, but if I was asked to accept liability for another organisation I would perform a significant amount of due diligence first. Of the hundreds of thousands of micro/small businesses in-scope for this requirement, how many are going to pay me to perform adequate due diligence? Somewhere in the region of none I suspect.
Or if I can’t perform due diligence, can I at least severely limit all financial and civil liability through contract language? Can I lay off the potential administrative penalties against some form of ‘data protection insurance’? If the answer to either of these is yes, what the Hell is the point of having a representative?
That was my first issue, my second issue relates to Article 27(3): “The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.“
In other words, you could be doing business in all 28 member states, but you only have to designate a representative in one of them. Does this mean that you don’t have to provide language support?
You could point to Article 7(2) – Conditions for Consent and Article 12(1) – Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject which include the words “an intelligible and easily accessible form, using clear and plain language” but surely even the most creative lawyer can’t segue that into a demand for ‘local language support’. Who in their right mind would make the expense of supporting all 24 official languages in the EU?
My final point is a practical one; how much are businesses prepared to pay for this service? Clearly the price will go up along with the risk profile, but even a low risk business may need significant support. The responsibilities of the Representative are:
- Deal with supervisory authorities on all “issues related to processing“;
- Deal with data subjects on all “issues related to processing“; and
- Ensure that 1. ands 2. are performed in a manner that supports “compliance with this Regulation“
The controller or processor can fully ‘delegate’ these responsibilities to the Representative, or only partially. Clearly partial delegation will be cheaper, but how many third country businesses will be able to perform any of these functions themselves?
Perhaps I’m overthinking this, which would be very unlike me, and maybe this is all very straightforward, but I have found exactly zero guidance on this from any source. Even a direct question to the usually very helpful ICO yielded no clarity.
So, to the real data protection / GDPR experts out there; how the Hell is this going to work?*
[If you liked this article, please share! Want more like it, subscribe!]
[* If you’re offering these services, just send me your service description, do not try to advertise though me. I cannot imagine how you could possible provide a decent service at a price-point that makes sense, so be aware that I happily expose #gdprcharlatans. I am equally happy to point people at your website if I think your service is reasonable.]