The GDPR applies to all companies processing the personal data of individuals residing in the EU, regardless of the company’s location, and regardless of whether the processing takes place in the EU or not.
No surprise then that UK companies will still have to comply with GDPR after 31 December 2020, if they sell products or services in the EU. However what may come as a surprise is an additional obligation (often referred to the ‘hidden obligation’) contained at Article 27 of the GDPR.
Article 27 GDPR
Article 27 states as follows:
- Where Article 3(2) applies (offering ‘goods and service’s or ‘monitoring behaviour’ of EU residents), the controller or the processor shall designate in writing a representative in the Union.
- The obligation laid down in paragraph 1 of this Article shall not apply to:
A. processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; (This exceptions rarely applies to commercial business) or
B. a public authority or body.
3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
So, does Article 27 apply to your business?
Most likely yes, if you wish to offer ‘goods or services’ to the EU market from 01 January 2021 and you don’t have a presence in the EU (such as warehouse or office).
‘Monitoring behaviour’ could include for example tracking or recording what individuals do on the internet, such as their clicks, website visits, cookies or video views.
What can you do?
One option is to appoint an EU Representative. The EU Representative would need to be established in one of the EU member states where you have customers of clients. An EU representative has a number of tasks, including:
1. to communicate with data subjects (customers) and regulators about their clients data protection compliance.
2. To maintain records of their clients’ processing of personal data (Record of Processing Activity – Article 30 GDPR) , and sharing these records with the relevant supervisory authorities when asked.
What happens if you do not appoint an EU Representative when you should?
If you do not appoint an EU Representative when you should then you could face an administration fine of up to 10 million Euros, or two percent of your annual turnover.
Who can offer this service?
Many organisations are offering this service, including us. SME Comply Ltd have an office on Dublin, and has already started offering this service to clients via a services contract.
Contact us for an informal chat about whether:
– your company is required to appoint an EU representative; and
– your company processes the personal data of some individuals who are in the Republic of Ireland. Your Irish customers do not have to make up a large part of your customer base or database. It is simply necessary that the personal data which your company holds includes some information about individuals in the Republic of Ireland.