Updated: Nov 24, 2019
As you review options for an EU representative to fulfill GDPR Article 27 requirements, it is worthwhile to consider price, whether the representative fulfills compliance requirements, and review your general comfort that your representative will fulfill the regulatory duty you will assign to them. However, a key compliance requirement that some EU representative services quickly gloss over (or do not mention at all) is their location – your representative must be “established” in one of the countries where the persons from whom you are collecting information are located. This post provides details about this requirement.
EU law requires that a representative be established in the country where you have data subjects, and EU regulators have recommended that your representative be in the EU country where you have the most data subjects. EUPR is established in Germany, the EU country with the greatest proportion of EU internet traffic and is therefore an excellent choice for your representation needs.
IN WHICH COUNTRIES MUST THE REPRESENTATIVE BE ESTABLISHED?
Here’s the exact language from Article 27(3) of the GDPR:
"3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are."
The language makes clear that your representative cannot just be located in any EU country – they have to be in the same country as the people whose data you will be collecting (data subjects).
The European Data Protection Board (EDPB) expanded on the rationale for this requirement in their Guidelines 3/2018 on the territorial scope of the GDPR (Nov. 2019). They reiterated the Article 27(3) requirement and explained (at p26):
“In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice, that the representative is established in that same Member State.”
They also emphasized that the focus is on the location of the data subjects, and not the location of any specific processor.
Nevertheless, the EDPB confirmed that establishment is not required in every EU country where a data subject may reside as long as the representative remains easily accessible in those countries. They noted that the key issue for the representative would be to communicate in the “language or languages used by the supervisory authorities and the data subjects concerned" (p27). They gave the example of an Indian pharmaceutical company conducting clinical trials in Belgium, Luxembourg and the Netherlands, and recommended that the representative be established in Belgium since most of the patients were expected to be Belgian residents, so long as the representative was easily accessible to persons in the Netherlands and Luxembourg. (Ex. 25, pp26-27)
The UK Information Commission’s Office (ICO) has offered consistent guidance regarding European Representatives for companies as that country prepares for the possibility of a “no deal” Brexit. They provided the example of a UK law firm that does not have offices in the European Economic Area (EEA), but has a regular client base exclusively in Sweden and Norway. The ICO stated that the “European representative [for this law firm] may be based in either Sweden or Norway, but not any other EU or EEA member state.”
WHAT IS REQUIRED TO BE ESTABLISHED?
Now that it is clear that European regulators have expectations regarding the specific location of representatives, what does it mean for a representative to be “established” in a certain country? Recital 22 of the GDPR notes that:
“Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”
The EDPB’s opinion regarding territorial scope only addresses “establishment” for purposes of whether the GDPR applies to an entity outside the EU and there is no guidance for what it would take for a EU representative to be considered as “established” in an EU country.
Nevertheless, portions of the EDPB’s guidance are helpful. For example, the EDPB explains how the “the [Court of Justice of the European Union] ruled that the notion of establishment extends to any real and effective activity — even a minimal one — exercised through stable arrangements” and that the “fact that the non-EU entity responsible for the data processing does not have a branch or subsidiary in a Member State does not preclude it from having an establishment there within the meaning of EU data protection law.” (pp6-7) The EDPB notes that the GDPR, in contrast to its predecessor (the EU Privacy Directive), departs from the “formalistic approach whereby undertakings are established solely in the place where they are registered.” (p6) The EDPB’s use of the word “solely” in this sentence is significant since it acknowledges that while having a branch office may not be necessary to be considered as established and that other factors could affect this determination, if an entity has a registered branch in a country, that would be sufficient for establishment.
Based on this guidance, companies evaluating representatives should look carefully at the following criteria:
Is the representative actually established in the EU countries where that client’s data subjects (e.g., customers) are located?
Is the representative established in the country where most of its data subjects reside, based on the EDPB’s recommendation?
NOTE: For companies broadly targeting the European market, they would be well served to look for representatives established in Germany since that is the EU country reported as receiving the greatest proportion of EU web traffic.
How is the representative “established” in the various EU Member States?
NOTE: Determining establishment is open to interpretation and has some inherent flexibility, but companies would also be well served to be certain that their representative would be deemed as established in the relevant country, such as through having a registered office.
EUPR has modeled its business on following the best practices from this analysis to ensure compliance, while also maintaining efficiency and value.
We have a registered branch office in Berlin, Germany and can effectively communicate in German, as well as other EU languages, to ensure we remain easily accessible to all of our clients' data subjects. This should be sufficient for most of our clients, though we will consider opening other branches if we believe there is a sufficient business case to justify that investment.
We also maintain our headquarters in Riga, Latvia, where the lower cost structure for our resources there allows us pass those savings to our clients.
In sum, we have built our service to ensure both uncompromising compliance and value, all with our clients' best interests in mind.
DISCLAIMER: The above analysis contains EUPR’s review of relevant legal documents and intended to be informative, but is not legal guidance to EUPR clients or any other persons. We recommend that all clients conduct their own analysis independently with their own counsel. EUPR does not provide legal advice or services.