The broad territorial scope of the EU General Data Protection Regulation (GDPR) privacy law is well-known. Many companies based outside of the EU are suddenly dealing with the high standards of EU data protection law. And to avoid potential fines of up to 4 percent of annual turnover, it's necessary to meet these high standards.
Your company can do everything required to meet the strict requirements around transparency, access, and security. But if you don't have a base in the EU, you'll also need to appoint someone to represent you there. This individual is known as an EU Representative.
Producing a "written mandate" or appointment letter to mark this appointment is an essential part of GDPR compliance.
Let's take a look at what you should include in your appointment letter.
- 1. Who Can Be an EU Representative?
- 2. Who Needs an EU Representative?
- 3. What to Include in Your Appointment of EU Representative Letter
- 3.1. Details of the Appointment
- 3.2. Role of the EU Representative
- 3.3. Status of the EU Representative
- 3.4. Conditions of the Appointment
- 3.5. Indemnity Clause
- 3.6. Governing Law
- 3.7. Non-Disclosure Agreement (NDA)
- 5. Summary of Your Appointment of EU Representative Letter
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
One of the main purposes of the GDPR is to protect personal data - any information that can be used to identify a person. There are now thousands of companies processing personal data - collecting it, storing it, selling it. There is a serious threat to the privacy of individuals ("data subjects") if this is not done correctly.
Article 3 of the GDPR states that the regulation is not limited to companies based in the EU. Many of the companies that process the personal data of people in the EU are based abroad. But the EU faces a challenge if it wants to enforce the GDPR against such companies.
This is why Article 27 of the GDPR imposes a requirement on certain non-EU companies to appoint an EU Representative. It's a way for the EU to assert the rules of the GDPR on companies based outside of its legal jurisdiction.
Who Can Be an EU Representative?
Your company's EU Representative must be established in the EU and have some legal presence in the EU. It can be an individual or a company, and one person or firm can represent several companies at once.
Your EU Representative must not be the same person as your Data Protection Officer (DPO), if you have one. This is because the DPO must remain independent and, according to the Article 29 Working Party, cannot represent your company in court.
Who Needs an EU Representative?
Anyone that is not established in the EU will need to appoint an EU Representative if they are either:
- A data controller - any person or organization that decides how and why personal data should be processed. This can mean anything from running a website with advertising cookies enabled to taking payments on an online store.
- A data processor - any person or organization that processes personal data on behalf of a data controller.
And does one of the following:
- Offers goods and services to individuals in the EU - whether they are pursuing a profit or not.
- Monitors the behavior of individuals in the EU. This could extend to something seemingly innocuous, like using website analytics or tracking cookies.
There is a limited exception if the processing is occasional and it doesn't involve sensitive personal data. But in reality, most companies that operate in the EU but have no base there will need to appoint an EU Representative.
Here's an example from the European Data Protection Board (EDPB) of the type of company that will need to appoint an EU Representative:
Once you determine that you need to appoint an EU rep, you'll need to draft a letter to officially appoint this party.
What to Include in Your Appointment of EU Representative Letter
Article 27 requires that you designate your EU Representative "in writing." This is why you need to write an Appointment of EU Representative Letter.
If you've ever looked at the GDPR, you won't be surprised to hear that it offers very little guidance on what such a letter must contain. But we can draw some conclusions from a close reading of the text and some helpful authorities.
Details of the Appointment
Provide the date of the appointment, and:
- The name and address for your company. This is "the Company."
- The name of your EU Representative. Remember that this can be a "natural person" (an individual) or a "legal person" (a company). This is "the Representative."
You can then provide some brief context regarding the reason for the appointment, for example:
"[name] is designated as EU Representative in accordance with Regulation (EU) 2016/679 ('the GDPR') Article 27."
You should also specify which EU Member State the EU Representative will be established in.
You should choose a Member State in which your company is active and has some connection to. The Representative must be able to speak the language of the relevant Member State.
Here's some further guidance on this point from the EDPB:
Role of the EU Representative
According to the EDPB, the letter designating an EU Representative must "govern the relations and obligations between the representative in the Union and the data controller or processor established outside the Union."
Your letter should set out what's expected of your Representative. For example:
The Representative shall carry out the following duties:
- Assist in the facilitation of data subject rights
- Cooperate with the Data Protection Authority [insert the name of the relevant national Data Protection Authority]
- Inform the Company of any communications from the Data Protection Authority or data subjects without undue delay
- Assist in the maintenance of records of data processing activities per Article 30 of the GDPR [note - companies with fewer than 250 employees are exempt from the obligations under Article 30].
This is just about everything that can be gleaned from the GDPR or the EU's institutions about the tasks of the EU Representative.
Status of the EU Representative
The GDPR makes two statements about the status of the Representative which might appear contradictory at first. At Article 27:
"The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves."
At Recital 80:
"The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor."
The EDPB says:
"it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable."
How should we interpret this?
Because your Representative is established in the EU, Data Protection Authorities can easily bring enforcement proceedings against them. They can be held liable in the sense that they can be easily brought before a court.
It would be more difficult for a Data Protection Authority to bring your CEO, for example, before a court in an EU Member State, because your CEO is based overseas. It isn't impossible and theoretically can still happen, notwithstanding the presence of a Representative.
This has certain implications for your Appointment Letter which is not ceremonial or symbolic, but a "written mandate" according to Recital 80. It can be construed as a contract between your company and its representative. You can use the Appointment Letter to balance liability between these two parties.
Conditions of the Appointment
The conditions of the appointment will vary depending on the relationship you have with your Representative. This section of the letter can include information about:
- Rate of pay
- Hours of work
- Termination notice period
These details are not governed by the GDPR at all except to the extent that the Representative must be readily available to cooperate with the Data Protection Authority or data subjects.
On this basis, you can also make the limits of the Representative's role clear. You can use wording such as "the Representative may not enter into agreements or make representations on behalf of the Company, except to the extent set out above, without the prior approval of the Company."
You may wish to include an indemnity clause, sometimes called a "hold harmless" clause, which protects your business against any legal proceedings brought about by the actions of your Representative. The Representative must agree to cover the cost of such legal claims.
Many companies use such a clause to govern relationships with their users or contractors.
Here's an example from eBay:
Remember, the Representative doesn't assume personal liability for your company's mistakes. Your company is responsible for the safe processing of personal data.
As the drafter of the letter, you may wish to choose the jurisdiction in which any potential legal disputes between your company and its EU Representative will take place. This will presumably be wherever your company is based.
This is not where legal claims will be brought against your company for any potential infringements of the GDPR.
Here's an example of such a clause from Reddit:
Non-Disclosure Agreement (NDA)
Your EU Representative will have to know a lot about your company and may become aware of confidential information.
Adding a non-disclosure agreement (NDA) can make it clear that while the Representative might need to disclose such information to the Data Protection Authority, they must not reveal it to anyone who doesn't need to know.
Here's an example from Socifi's Partner Agreement:
Here's how Product Hunt does this:
Summary of Your Appointment of EU Representative Letter
Appointing an EU Representative in writing is mandatory for companies who are subject to the GDPR but are not established in the EU. Your Appointment Letter should contain:
- The date of the appointment
- The details of your company and name of the Representative
- Details of the tasks of the Representative
This is as much as is required by the GDPR, but you can also include information about:
- The status of the Representative in relation to your company
- Conditions of the appointment, e.g. remuneration
- An indemnity clause
- The governing jurisdiction in which any legal disputes will be heard
- Conditions under which any changes to the appointment can be made