The EU General Data Protection Regulation (GDPR), coming into effect in May 2018, is already having ramifications for companies all over the world. The GDPR will not only affect European companies, but any company, anywhere in the world, offering goods or services on the European market or monitoring the behavior of European citizens. These companies may be located in the US, or China, or in the middle of the Pacific Ocean, but they will be subject to the GDPR – to its requirements for data processing, usage and storage, and to its heavy fines for non-compliance.
The EU representative – for companies not based in the EU
One of the requirements under the GDPR is the appointment of a representative in the EU for international companies that are not on the ground within the Union. The EU representative must be designated in writing, and the obligation applies to both the “controller” (the company collecting the data and in some kind of customer relationship with the data subject) and any (sub-contracted) “processor” of the data. According to GDPR Art. 9, it does not apply if the data processing is either occasional or not of a sensitive personal nature, or “is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing”.
Only certain types of companies are subject to this obligation, as specified in Article 27 GDPR. In terms of commercial operators selling goods or services to European citizens, two areas of data handling and processing are relevant to the obligation to appoint a representative in the Union.
In particular, companies engaged in large-scale systematic monitoring of data subjects are subject to this requirement. Common relevant activities for companies are, for example, tracking or profiling individual customers or users that are located within the EU. Therefore, marketing on the basis of detailed customer profiles of EU citizens is one of the categories for compliance.
The other area of interest is the large-scale collection and processing of sensitive personal data. Sensitive personal data includes anything pertaining to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation shall be prohibited”, as specified in Article 9 of the GDPR. It is yet to be seen which non-European companies may be handling this type of data about EU citizens.
What does the EU representative do?
The representative needs to be on the ground in one of the EU member states where the processing is taking place. This natural or legal person will act as a point of contact for requests by the supervisory authorities or data subjects, and represents the controller or processor regarding their obligations under the GDPR. The representative does not need to be a lawyer, but must be extremely well-versed in European data protection law. The appointment of an EU representative does not affect the liability of the controller or processor, but the EU representative will also be subject to enforcement proceedings in the event of non-compliance by the controller or processor (Recital 80 GDPR).
Getting ready for May 2018
Although the GDPR only becomes law on 25th May 2018, all companies – both within and outside of Europe – need to ensure that they are compliant with this regulation before it comes into effect. They should do an initial audit that will result in a list of areas where work is needed, and the company will have to ensure that the areas identified are adapted in time for the new law.
How long this process takes will depend on a range of factors. If the company already has a process for dealing with data, then it may not be so much work. But in this case, companies need to start a project to examine whether such a process adheres to or can be adapted to the GDPR requirements. They will have to analyze every procedure in the company using personal data in the light of the GDPR.
As a result, companies should start with a target performance comparison. They should look at what data they have, how it should be dealt with, and what procedures are in place. Is the data deleted after every use? Or is it stored somewhere? And is it kept secure so that nobody can get access to the information? Does the company reuse it? And do they have the right to reuse it? Having ascertained what they are doing, companies should then look closely at what is permissible according to the GDPR.
The eco Data Protection Service – Supporting eco members to become compliant
eco offers a Data Protection Service for the association’s members. Based in Germany, the association offers small and medium-sized companies within and outside of Europe an uncomplicated alternative to become compliant with the GDPR. The service helps companies to get the information they need, does an initial audit, trains the staff, and gives workshops if any are needed. The service can also act as the EU representative for international eco members who do not have a European location. More information on the eco Data Protection Service is available here.
For member companies based in Germany or that have a subsidiary in Germany, eco also offers the eco External Data Protection Officer service, as an alternative for European companies that are required by law to appoint a Data Protection Officer (see Art. 37 GDPR).
Clarissa Benner LL.M. recently joined eco’s legal team as an attorney and a specialist in data protection. Prior to joining eco, she worked as an in-house attorney with a teleshopping station in Grünwald, having previously spent four years working as an attorney in a media law firm in Munich. She completed her earlier legal apprenticeship in the district of the Higher Regional Court of Cologne. In addition to her core legal qualifications, Clarissa holds a Masters in Media Law.