A Point of View: Do Processors have to appoint an EU/UK GDPR Representative?
When faced with a data protection related quandary, most people turn to the web for an answer to their dilemma; scouring legislation, supervisory authority guidance, or perhaps resorting to a good old Google search. In doing so, you may have noticed that when it comes to guidance, much is focused on the needs of Data Controllers. Data Processors, however, are often left out in the cold, making it difficult to access the information needed to comply.
When it comes to appointing a Representative under Article 27 of the GDPR, the story is no different. In fact, we ourselves have perpetuated this, having written blogs about when Controllers need EU GDPR Representation, yet omitting to pay the necessary attention to Processors in this context. In this blog post, we seek to fill that gap.
As highlighted previously, the applicability of Article 27 is based upon geographical factors. Although this is the same for Processors, the situation is a little more complex.
Before we get stuck in, just a note to say that whilst we shall be talking in the context of EU Representation and the EU GDPR, the following also applies in the context of UK GDPR.
EU GDPR applicability – Article 3(2)
When it comes to considering whether Article 27 applies to a Processor, and thus whether a Representative is required, the first port of call should be to consider Article 3(2). Article 3 pertains to the Territorial Scope of the EU GDPR, and Article 27 states that it only applies where a Controller or Processor is brought into the scope of the EU GDPR by virtue of Article 3(2).
Article 3(2), for its part, covers organisations that are not established in the EU that process the personal data of data subjects located within the EU, where the processing relates to the offering of goods or services to, or the monitoring of the behaviour of, individuals within the EU.
Article 3(2) therefore sets out a two-part test. First, the organisation must not have an establishment within the EU. This is simple enough to determine. The second part, however, may need closer examination as it requires that the organisation must be processing personal data in relation to:
(a) the offering of goods or services to data subjects within the EU (irrespective of whether payment is required); or
(b) the monitoring of their behaviour as far as their behaviour takes place within the EU
In other words, the processing activities must ‘target’ EU data subjects in some way. This is made more complex in the context of Processors because, in its guidance on the territorial scope of the EU GDPR (Guidance 3/2018), the European Data Protection Board (EDPB) states that “The ‘Targeting’ character of a processing activity is linked to its purposes and means; a decision to target individuals in the Union can only be made by an entity acting as a Controller.”
The EDPB adds that whilst only a Controller can decide whether to ‘target’ EU data subjects, Processors can be involved in the processing activities that occur as a consequence of this targeting. The EDPB, therefore, explains that when determining the applicability of Article 3(2) to a Processor, “the focus should be on the connection between the processing activities carried out by the Processor and the targeting activity undertaken by a Data Controller.
Article 27 applicability
So, having laid out how the EU GDPR can apply to a Processor by virtue of Article 3(2), and stating previously that Article 27 applies to organisations to which Article 3(2) applies, it would seem safe to assume that our work here is done – well, perhaps not.
For, it seems, there may be one final factor that means not all Processors for whom the EU GDPR possibly applies by virtue of Article 3(2) have to appoint a Representative. That is, the Controller’s location. There has been an ongoing debate around whether the Controller’s location makes any difference to how Article 27 applies to Processors and, having done our research, the answer we have concluded is – maybe.
In essence, it has been suggested that if a Processor that falls under Article 3(2) of the EU GDPR is processing data on behalf of a Controller also located outside of the EU, it will need to appoint a Representative. But, if that same Processor was instead processing data on behalf of a Controller located within the EU, it would not have to appoint a Representative.
Why? I hear you ask. Well, for that we have to consider the purpose of a Representative which is essentially to act as a point of contact for both supervisory authorities and data subjects within the EU. Now, where a Processor located outside of the EU is processing personal data on behalf of a Controller located within the EU, the data subjects and supervisory authorities will already have easy access to someone who can deal with their queries – the Controller. And, given that the Controller is ultimately responsible for the processing carried out by the Processor, and for responding to data subjects’ rights requests, it seems hard to conceive of a situation in which the preferred option would be to go through a Processor’s Representative, only for them to contact the Processor who would then contact the Controller. As such, in these instances requiring a non-EU Processor to appoint a Representative serves little, if any, purpose.
Interestingly, the three examples (19,20&21) given in Guidance 3/2018 concerning when Article 3(2) would apply to Processors, thus triggering the EU Representative requirement, only involve instances whereby they are processing personal data for Controllers located outside of the EU. There are no examples that include a Processor outside the EU processing personal data on behalf of a Controller in the EU and consequently requiring an EU Representative. Therefore, it could be inferred that only the former circumstance triggers the EU Representation requirement. This does, however, remain a bone of contention and a grey area.
To conclude, it appears that the current state of play is likely to be this:
- If a Processor located outside of the EU processes personal data on behalf of a Controller located outside of the EU, and that processing is related to the ‘targeting’ of EU data subjects, the Processor will have to appoint an EU Representative; but
- If a Processor located outside of the EU processes personal data on behalf of a Controller located within the EU, the Processor will not have to appoint an EU Representative, regardless of whether the processing relates to any ‘targeting’ activity by the Controller
When considering what the role of a Representative is meant to be, this conclusion does seem to make sense. But, it must be noted that this comes with the caveat that this area of the EU GDPR has yet to be explicitly clarified by any guidance or case law. However, it is hoped that the introduction of the new UK Representative requirement – resulting from the UK GDPR coming into force at the end of 2020 – may prompt either the EU or the ICO to be forthcoming with some more concrete advice. If and when this does come, we shall be sure to update this blog post accordingly.
June 1, 2021