#7 Data Privacy Best Practice: Consider whether you need to appoint an EU data protection representative under the GDPR.
My recent posts in this series have discussed best privacy practices for the hypothetical software company BizConnect. These practices have included:
a) drafting a GDPR compliant privacy policy; b) self-certifying under the Privacy Shield for transfers of EU personal data; c) adopting GDPR model clauses for transfers of EU personal data; d) deciding whether to conduct a DPIA and/or adopt a Code of Conduct; and (e) discuss why BizConnect should draft an internal written data security plan, obtain SSAE-18 audit reports, and adopt a Business Continuity Plan.
This post focuses on whether BizConnect needs to appoint a data representative in the EU pursuant to Article 27 of the GDPR.
Article 27: Companies who process EU personal data and do not maintain an establishment in the EU (like a branch or subsidiary) are required to designate a representative physically located in the EU. The data representative acts like a physical mailbox in the EU to receive and transmit information from EU Data Protection Authorities to the subject company. See Article 27 text here.
What is “occasional” processing?
BizConnect does not have a physical presence in the EU but it does process EU personal data. It has heard of an exception to the Article 27 requirement for “occasional” processing. Such “occasional” processing must not include any large scale processing of special category data or data related to criminal convictions. Unfortunately, the EU gives no guidance on its interpretation of what will be considered “occasional.”
Experts’ views:
Commentators seem to take a conservative view of what is occasional. Lothar Determann has said that “Most companies are covered if they are subject to the GDPR but do not maintain an establishment in the EU.” Sharon Anolik, founder of Privacy Panacea, told me that a company that is collecting and processing EU personal data on a “regular or recurring” basis is likely subject to Article 27, and not able to claim that it is only an occasional processor. Trying to argue that the number of customers or percentage of revenue derived from the EU is small will probably not be a winning argument. Sharon also noted that the EU tends to be more “black and white” in its interpretation and application of rules rather than a best efforts approach more familiar in the US.
BizConnect: To analyze BizConnect’s regulatory obligations, we need a refresher on its business. As discussed in earlier posts, BizConnect provides a SaaS platform to enterprise clients to improve their project management capabilities. BizConnect acts as a data controller for any personal data provided by the enterprise customer. For example, if Jane Doe, the CFO of ABC, Inc (an enterprise customer), provides her name and email, BizConnect is a data controller for that personal data. I refer to that as Level 1 data. ABC, Inc is also uploading its employees’ personal data (name and email) on to the BizConnect platform. I refer to that as Level 2 data. For Level 2 data, ABC Inc. is the data controller and BizConnect is the data processor.
Recommendation: The cautious approach for BizConnect would be to appoint an EU data protection representative. It can choose any country where it processes data subject’s personal data. There are services that charge an annual fee depending on annual revenue. With Brexit looming, be sure to choose a location outside of U.K. for any non-U.K. processing. Post Brexit, the U.K. is not an acceptable location for the Article 27 data protection representative. There are subscription services on a sliding scale (based on revenue) that can provide this service.