The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If a company designates a representative in Europe, can that designation be used by a supervisory authority as evidence that the company is actually established in Europe?
The GDPR requires most companies that are not established in Europe, but are subject to the extraterritorial reach of the regulation, designate a “representative in the Union.” That representative must be “established in one of the Member States” where data subjects are being monitored or in one of the member states wehre data subjects have been offered goods or services, and is intended to “facilitate the communication between data subjects and the controller or processor represented.”
Some companies were hesitant to name an Article 27 representative for fear that in so doing they might be creating a “stable arrangement” with Europe that could be interpreted by a regulator as subjecting the organization to the broader establishment jurisdiction of the GDPR. In response to this concern, the European Data Protection Board has stated that “the presence of an Article 27 representative within the Union does not constitute an ‘establishment’ of a controller or processor” under the GDPR.
1. GDPR, Article 27(1).
2. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 23.
3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 20.