EU Representative and Swiss Representative for data protection
Do you need to appoint a data protection representative?
The revised Swiss Federal Act on Data Protection (revFADP), which came into force on 1st September this year, includes a requirement to appoint a Swiss representative. This got me wondering how many UK companies might remain blissfully unaware of the requirement for many businesses to appoint an EU representative post Brexit.
What is an EU Representative?
If you’re a UK based business, you may still fall under the scope of EU GDPR if you offer goods and services to individuals in the European Economic Area or monitor the behaviour of individuals in the EEA. If you don’t have a branch, office or other establishment in an EU or EEA state, EU GDPR requires you to appoint a representative within the EEA.
This representative needs to be authorised in writing to act on your organisation’s behalf regarding your EU GDPR compliance. They are intended to be a point of contact for any EU regulator and EU citizens.
The representative can be an individual or a company and should be based in an EU or EEA state where some of the individuals whose personal data you handle are located. So, for example if you process data relating to German, Spanish and Italian customers, your EU rep should be based in one of these countries.
What constitutes ‘Offering Goods and Services’?
The European Data Protection Board (EDPB) guidelines on GDPR territorial scope provide helpful pointers on whether you would be considered as ‘offering goods and services’ to EU citizens.
Just because your website might be accessible to EU citizens isn’t enough to warrant the necessity of having an EU Representative. It needs to be ‘apparent or envisaged’ your products and services are being offered to individuals in one or more EU member states.
Let’s take a look at what that means. Does your organisation;
- describe products and services in the language of an EU member state?
- offer prices in Euros?
- actively run marketing and advertising campaigns targeting an EU country audience?
- mention dedicated contact details to be reached from an EU country?
- use any top-level domain names, such as .de or .eu?
- describe travel instructions from one or more EU member state to where your service is provided?
- mention clients/customers based in one or more EU states?
- offer to deliver goods to EU member states?
Answering ‘Yes’ to one or more of the above means it’s likely you fall under the requirements of GDPR Article 27 to appoint an EU Representative. You will not need to appoint a representative if; you are a public authority or your processing is only occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.
For example, here at the DPN we don’t need to appoint an EU Representative. Our website is clearly accessible to EU citizens, people can sign up for our newsletter or webinars from anywhere in the world, and we may do some consultancy work for an EU-based company. However, we’re a small business and our answers to all the above questions is NO.
But if for example you’re actively targeting your marketing or advertising campaigns at EU citizens, you are likely to fall under the requirement.
What does an EU Representative do?
Once you’ve established you meet the criteria, you need to know what an EU Representatives responsibilities are and find a company to p0rovide this service. They have the following core responsibilities:
- co-operating with the EU supervisory authorities on your behalf
- facilitating communications between EU citizens and your organisation
- being accessible to individuals in all relevant member states (i.e. clearly mentioned in your privacy notice as the contact for EU citizens)
- supporting you to manage your Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.
A number of professional services have sprung up offering to be representatives, with Ireland proving a particularly popular location, not least because there are no language issues for UK companies. In selecting Ireland, you would need to be handling Irish citizen’s data. If for example you only process French and German citizens’ data you would need a Representative in one of these countries.
What about Swiss Representatives?
The revised Swiss Federal Act on Data Protection (revFADP) includes new and more stringent obligations on non-Swiss companies doing business in Switzerland. It includes a requirement to appoint a Swiss Representative. The Act broadens the territorial scope of the application of Swiss data protection law to make sure companies worldwide remain accountable for the protection of Swiss individuals’ personal data.
In practice, like the EU GDPR, organisations targeting goods or services to Swiss individuals or monitoring their behaviour will now have to comply with revFADP requirements. Organisations which process personal data of individuals in Switzerland and do not have a ‘corporate seat’ in Switzerland will need a Swiss Rep. For example if your activities
- offering goods and/or services to individuals or monitor their behaviour, on a large scale,
- are on a large scale, carried out regularly and pose a high risk to the data subject.
The role of Swiss Rep has involved from EU GDPR, they act as a local, accessible point of contact in Switzerland for individuals and for the FDPIC.
However, there are some distinct differences between revFADP and EU GDPR, such as the difference between a ‘corporate seat’ under revFADP and an ‘establishment’ under EU GDPR. Data processing on a large scale regularly and posing a high risk are part of the application criteria under revFADP, whereas under EU GDPR there’s an exemption to appointing a EU representative if your processing is not on a large scale, is not routine and is not high risk.
So, what’s the risk of not having a Representative?
This is not an area where we have seen much regulatory action. It seems likely a failure to appoint an EU or Swiss representative would only to come to light if an organisation suffered a personal data breach which impacted EU or Swiss individuals, or a particularly tricky complaint was received from an individual based in the EU or Switzerland.
However, if you squarely meet the criteria to appoint one, it would be wise to do so. There are plenty of companies who provide this service.