Encouraged by globalization then technological developments, the ongoing process of extraterritorial normative expansion has been embraced by the European legislator for several years. The legislator has been willing to extend its territorial scope, safeguard fundamental rights beyond its borders, and hold accountable companies located abroad. This article aims to provide an overview of this process, as well as to assess its application in the domain of personal data protection regulations. In the first part, we will examine the criteria allowing an extraterritorial application of data protection rules, and the obligation of foreign-based companies to appoint an EU representative. We will then study the obligations the representatives share with data controllers and data processors, according to Directive 95/45/EC. In the second part, we will focus on the changes induced by both the GDPR and the Guidelines of the European Data Protection Board (EDPB).
In EU law, the obligation to appoint a representative is not anything new. It exists since Directive 95/46/EC. In a context in which the circulation of personal data was rapidly growing thanks to the Internet, the introduction of this representative was a way for the European legislator to hold accountable organisms located outside the EU. This new role was meant to facilitate the work of national supervisory authorities in the event of violation of data protection regulations. However, the notion of EU representative was not born from this directive and is not specific to data protection. Similar roles exist in other disciplines, such as fiscal law or cosmetic products law. In any case, they act as the proxies of legal persons established out of the EU yet who must fulfill certain obligations due to their activities within the EU.
The Directive specifies the extraterritorial scope in article 4(1)(c). In application of this article, each Member State had to adopt national provisions pertaining to the processing of personal data where: “[…] the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community […]”.
The criteria from article 4(1) diverge from those introduced by the GDPR. Despite the differences, the two sets of criteria have an identical purpose. Both are meant to determine which connecting factors may extend the scope of application of EU legislation, and to provide homogeneous effectiveness to the rules, regardless of the location of the targeted organism.
In the provisions of the now-repealed Directive, the data processor was not considered an accountable actor in the processing chain. This explains why the obligation to nominate a representative only applied to the data controller.
Article 4 of the Directive provided for that:
“In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself […]”.
The first finding regarding this provision is the confirmation of the principle guaranteeing that:
This principle is renewed by the General Data Protection Regulation (GDPR). The regulation even extends it to the data processor as well.
The second finding regarding this provision is that the representative must be designated in the Member State where the data controller processes personal data wholly or partly by automatic means.
As we will discuss it later, the GDPR eliminates this criterion. It could be linked to the notion of “nexus” in US law. Thus, since the GDPR entered into force, a representative must be established in only one of the Member States in which the data controller targets or monitors data subjects, rather than in each Member State. As with many other EU standards, the point of this is to diminish the impact of borders between the Member States.
Articles 10 and 11 of the Directive provided for an obligation to inform data subjects in the event of direct or indirect collection of their personal data. This obligation was mandatory for both the controller and the representative. Therefore, the representative was liable for this obligation in the same way as the controller.
In addition to the obligation to provide information, Article 18 imposed an obligation on the controller and the representative, where applicable, to notify all processing operations to the supervisory authorities prior to the implementation of such processing. Furthermore, Article 19 provided that the name of the representative should be included in every notification.
The GDPR has changed the conditions for extraterritorial application of data protection rules in order to adapt to technological developments in business and the globalization of the economy. It adopted two criteria based on targeting and monitoring of data subjects. As mentioned above, under the Directive, only one criterion underpinned the extraterritorial application of its provisions: using means of processing located in the European Union.
The GDPR introduces the new extraterritoriality criteria in Article 3(2). The new criteria are:
To understand clearly the scope of these two targeting criteria, we must rely on Recitals 23 and 24 of the GDPR, which list the elements to distinguish and characterize activities that can be considered as offering goods or services or tracking individuals. In addition, it is essential to follow the European Data Protection Board (EDPB) Guidelines 3/2018 on the territorial scope of application of the GDPR.
It should be noted that, in the hereabove guidelines, the Board encompasses a wide range of activities in relation to behavioral monitoring. This broad definition includes, for example:
In addition, it is important to note that the European Board’s guidelines indicate that extraterritorial application extends not only to the GDPR but also to other legislation, such as EU sectoral legislation, and the national legislation of each Member State.
Indeed, even if the conditions for the application of GDPR extraterritoriality are met, other EU or national laws applicable to data subjects will have to be identified as well. The applicable law altogether will have to be determined using the data subject’s country of residence or nationality, or other connecting factors. For example, a person who is in the European Union and of French nationality will benefit from the protection of the GDPR but also from the French law n° 78-17 on “Information Technology, Data Files and Civil Liberties”.
In conclusion, the extraterritoriality enjoyed by the GDPR also benefits national or sectoral EU rules with a similar objective. Consequently, if a controller or processor does not comply with the obligations of the GDPR or of the other applicable rules mentioned above, the supervisory authorities may, in accordance with Article 58(2) of the GDPR, adopt the sanctions provided for by these rules on the territory of the Union. This may include, for example, the application of a corrective measure such as the suspension of the transmission of data flows or the prohibition of the continuation of automated processing.
Yes, Article 27 of the GDPR maintains the obligation to appoint a representative in certain cases. The controller or processor must be established outside the European Union. If not, we are no longer in a case of extraterritorial application but in an application of the GDPR under the criterion of EU establishment. A representative is then no longer necessary, but the appointment of a Data Protection Officer (DPO) may be.
In this regard, it should be noted that the Board, in its Guidelines 3/2018, clarifies that the presence of a representative in the EU does not constitute an “establishment” of a controller or processor under Article 3 of the GDPR.
Furthermore, the obligation to appoint a representative depends on the regularity, risks, and volume of data processing.
For this obligation to apply, the processing must either be regular, involve large-scale processing of sensitive data or data related to criminal offenses, or be likely to result in a risk to the rights and freedoms of data subjects. There is no requirement for this risk to be high. As for the notion of large scale, it is relative. To determine whether data is processed on a large scale, account must be taken of the number of data subjects, either in absolute terms or in relation to the population concerned, the volume and/or the spectrum of data processed, the duration and the geographical extent of the processing activity. These criteria have been defined by the EDPB’s “DPO” guidelines in its version adopted in 2017.
Therefore, the appointment is mandatory as soon as one of these criteria is met, for any processing activity pertaining to a natural person located in the EU.
Are there any exceptions to the obligation to appoint a representative?
Article 27(2) states that the obligation does not apply if the processing which is “occasional”, does not include, on a large scale, processing of sensitive data or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons. Furthermore, the obligation does not apply to public authorities or bodies. They are exempted from the obligation to appoint a representative.
In other words, for the obligation to arise, the controller or processor must be a natural or legal person under private law.
In which country should the representative be appointed?
Article 27(3) of the GDPR provides for that “the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are“. As mentioned earlier, this differs from the Directive which required one representative per country.
In Guidelines 3/2018, the European Data Protection Board specifies that, should data subjects be dispersed in several States, the representative must be established in the State where a significant proportion of the data subjects are located. “[…] In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice, that the representative is established in that same Member State “.
The guidelines do not clearly explain what to do if the processing involves persons in several Member States with a significant proportion of data subjects. Thus, it is seemingly up to the controller or processor to choose one of the States where a significant proportion of the data subjects is located. In any case, “the place of processing, even by a processor established in another Member State, is here not a relevant factor for determining the location of the establishment of the representative“.
Furthermore, the Board indicates that the representative must remain easily accessible to data subjects, including those who are not located in the State where the representative is established.
What are the formalities for the appointment?
Previously, the representative had to be designated by the controller to the supervisory authority. However, under the GDPR,, there is no obligation for the controller or the representative to notify the appointment of the representative to a supervisory authority. Nevertheless, the EDPB does consider this notification as a good practice.
Article 27(4) of the GDPR provides for that the representative must be “mandated to be addressed on all issues related to processing”, and Recital 80 states that the representative “should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf”.
Violation of the appointment requirement is punishable by the fine provided for in Article 83(4) of the GDPR, i.e. 2% of the annual worldwide turnover or up to ten million euros, and could be accompanied by a periodic penalty payment or by a corrective measure, such as those mentioned above.
Who can be appointed as a representative?
The representative can be a natural or legal person, provided that they are legally capable of representing the entity requiring it. In this respect, the EDPB explains that:
Does the appointment remove the responsibility of the controller or processor?
It doesn’t. As with the 1995 Directive, the Regulation has maintained the principle of accountability of both the controller and processor. This means that appointing a representative does not relieve the controller or processor of their responsibilities under the Regulation. Indeed, Article 27(5) provides for that “the designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves“. The mandate would only be a representation mandate.
Does the representative have to inform the data subjects?
The Regulation does not impose an obligation on authorized representatives to inform data subjects in the event of direct or indirect collection of their personal data. In accordance with Articles 12, 13, and 14 of the GDPR, this obligation falls exclusively on the controller. However, in France, Article 82(1) of the law n° 78-17 on “Information Technology, Data Files and Civil Liberties” provides for that any subscriber or user of an electronic communication service must be informed in a clear and complete manner, unless they have already been informed by the controller or the representative.
This provision seems to establish that, in the event of the deposit of cookies or any other electronic tracker, the obligation to inform is incumbent on both the data controller and the representative, in a non-cumulative manner. In the event of non-compliance with this obligation to provide information, both parties may therefore be prosecuted.
Does the representative have to keep a record of processing activities and make it available to the supervisory authorities?
The answer is yes. Article 30 of the GDPR obliges controllers, processors, and their representatives to keep a record of processing activities and to make it available to the competent supervisory authority. This obligation is common and shared between these three actors. The obligation to keep the record will only cover the processing activities of persons located in the European Union.
However, for the EDPB, the controller and the processor continue to be accountable for keeping the record, and they cannot discharge this obligation by arguing that a representative has been appointed to keep it.
Furthermore, the EDPB considers that the representative must be provided with accurate and up-to-date information so that the record can be kept up to date and made available to the authorities if necessary.
Does the representative have the task of acting as a contact point?
Yes, this is one of the central duties of the representative shares with the represented entity. Article 27(4) of the GDPR provides for that the representative is the person to whom the supervisory authorities and data subjects should address any questions relating to processing. Recital 80 specifies that “Such a representative should perform its tasks according to the mandate received from the controller or processor […] to ensure compliance with this Regulation”.
The same Article 27(4) also specifies that the representative may be a primary or secondary point of contact with the Controller and the Processor. This obligation is common between the representative and the represented entity.
The appointment of the representative does not prevent data subjects or supervisory authorities from contacting the controller and processor directly.
Is the duty to cooperate with the supervisory authorities part of the representative’s obligations?
Yes, Article 31 of the Regulation provides for that the controller, the processor, and, where applicable, their representatives must cooperate with the supervisory authority at the latter’s request. Recital 80 states that “such a representative should perform its tasks […] including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation”. This requirement is also one of the common obligations of the representative with the controller and the processor. It pertains to the obligation to facilitate communication to ensure compliance with the Regulation.
In its Guidelines 3/2018, the EDPB states that “In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations […] and the representative shall be able to facilitate any informational or procedural exchange […]”.
Does the representative have to complete formalities for the supervisory authorities?
The answer is yes, this is one of the obligations shared with the controller and/or the processor.
Indeed, requests for opinion or advice sent to the supervisory authorities must specify the identity and address of the representative if the controller or processor is not established in a Member State of the European Union.
However, given the active accountability regime adopted by the GDPR, it is not mandatory to declare most processing operations, so this is a rather exceptional activity.
Declarations to the supervisory authorities only apply to certain processing operations. In France, prior formalities are required for processing carried out for governmental purposes or for medical research.