GDPR and its Application Non-EU Countries
While this new regulation replacing Directive 95/46 is inevitable to be applied to personal data processing taking place within the borders of the EU; GDPR will find application area for non-EU countries;
If the data responsible for non-residents in the EU is offered goods or services to the EU citizens or
If the behavior of their people within the EU is observed,
in accordance with the 3rd article of GDPR titled “Territorial Scope”.
The EU Data Representative
The EU Data Representative (herein Representative) is one of the consequences of responsibilities arising from the implementation of GDPR in accordance with article 3 for non-EU countries. It is regulated in the 27th article of the GDPR titled “Representatives of controllers or processors not established in the Union”.
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
2. The obligation laid down in paragraph 1 of this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) public authority or body.
3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
When GDPR Article 3 and Article 27 are evaluated together, you are obliged to have a Representative if you, as a company and data controller, are processing the data of the data owners living in the EU, or if you are processing data for specific data categories and you do not have an office located in the EU.
The Location of EU Data Representative and its Appointment
The Representative in question may be a natural person residing in the EU or is generally preferred from legal entities (law firms, consultancy companies) established within the Union. In this case, it is generally chosen as one of the countries where the representative processes the most data. However, in accordance with the regulation, the appointment of a Representative must be made in writing. This appointment also constitutes the written contract between your representative and your company. A Representative can act on behalf of the multiple data controller and data processor who are not located in EU.
The Difference Between EU Data Representative and Data Protection Officer
Finally, an important point to be mentioned is the Data Protection Officer (DPO) and the Representative are two concepts that do not represent the same position. The duty of DPO is to assist companies independently in compliance with data protection legislation and to provide necessary information. While these officers perform their duties, they do not receive any instructions from the data controller or the data processor. However, when we look at the job describtion of the Representatives in the data protection legislation, they act in line with the instructions they receive from the relevant company. As a matter of fact, the European Data Protection Board stated that the DPO’s function differs from the Representative’s function in the guideline on the recently published “Territorial Implementation of GDPR”, especially in order to prevent conflicts of interest.
General Data Protection Regulation(GDPR)