Everything You Need to Know
Frequently Asked Questions
Yes, if you do not maintain an ‘Establishment’ in the EU and (after Brexit) the UK and you collect, process, sell or provide goods or services to or monitor the activities of EU and UK citizens. The term ‘Establishment’ is intended to mean an organisations permanent place of business including a subsidiary company that is located within the EU or UK.
No, if your business only occasionally collects and processes personal data and which does not involve the processing of special categories of personal data such as race, ethnic origin, political behaviour, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and such processing is unlikely to result in privacy intrusion.
A Data Protection Officer looks after your GDPR compliance framework, the privacy of your data subjects and advises and assists the business in meeting compliance with the GDPR and all local data protection laws and regulations. The role of the DPO is independent of the business and has special protection from influence around its recommendations and advice. The DPO will work with your business in drafting appropriate policies, procedures, registers and provide training to your staff. The DPO will also take a lead role in the investigation and resolution of reported data breaches including advising on mitigating actions and compensation to affected data subjects.
A GDPR Representative on the other hand acts as your appointed local EU or UK representative and point of liaison and contact for supervising authorities and your data subjects. It does not provide advice but provides an essential platform for communications with your data subjects and Regulators and acts as the first point of contact. It also works with you in responding to data subject requests, complaints and threats of action or enforcement. Unlike your DPO the GDPR is not independent and provides agreed contractual services on your behalf. It is also responsible for holding a detailed register of all your processing activities within the EU or UK.
The process is informal but must be evidenced in writing and signed by a responsible officer of your company who has the requisite authority to enter into such a service. A letter of appointment is the usual format along with a service agreement identifying and recording the services to be performed.
Your GDPR Representative can be liable for any breaches or violations of the GDPR it itself commits but not for any acts or violations committed by your company. However, any form of sanction imposed on your GDPR Representative could impact on your company’s brand and credibility and you should therefore only use a representative service that is staffed by qualified and suitably experiences data protection compliance professionals and or privacy lawyers.