Awareness of the legal duty to appoint a GDPR Representative increases following enforcement
Clearview was fined €600,000 in Italy and locatemyfamily.com €525,000 in the Netherlands for failing to do so. Tim Bell of DataRep reports.
It would be fair to say that the obligation to appoint a Representative under Article 27 of the EU GDPR (and, at the date of writing, the equivalent obligation under the UK GDPR) is one of the less-commonly discussed parts of the GDPR. However, this somewhat unloved requirement – which the author described around GDPR Day in 2018 as the “hidden obligation” of the GDPR – is increasingly discussed in the privacy community, and recent enforcement actions have brought it back into consideration for the many companies to which it applies.
As a quick summary, GDPR Article 27 requires that an organisation, which has no EU establishment but sells to the EU or monitors people there, is required to appoint a Representative in the EU, to act as their European point of contact for data requests, and to hold a copy of their Record of Processing Activities (ROPA) to be made available to EU authorities on their request. Since Brexit, there has also been an equivalent obligation in the UK for non-UK organisations.
International Report subscribers: please login to access the full article.
If you wish to subscribe, please see our subscription information.