What is the GDPR Article 27 - EU Representative?
Many clients active in the EU but without an EU presence are required by GDPR to appoint an EU representative (Art 27). There are some exceptions, but we can ignore those for now. So what is the role of the Article 27 EU Representative?
Recital 80 of GDPR describes the role:
"The representative should act on behalf of the controller or the processor"
It really isn't clear what is meant by 'should' and by 'act', but broadly, it seems to mean that it is expected that the Representative be given some degree of authorization to speak for the Controller or Processor. What action could be involved? The rest of the sentence may help answer that:
"and may be addressed by any supervisory authority…"
So far that sounds like corporate secretarial services. Article 27(4) actually adds to this "and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation." Meaning the Representative may be approached by the supervisory authority, or by data subjects, on all issues related to processing. The Representative should act for the Controller or Processor in this communication capacity.
Recital 80 continues and gives further meaning to how the Representative could 'act' for the Controller and Processor:
"Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation."
This is a little more substantive. The Representative must cooperate with the supervisory authorities regarding 'action taken to ensure compliance'. This could mean cooperating regarding Records of Processing, which the Representative ought to have access to (Article 30). Perhaps this refers to notifications of a personal data breach (Article 33-34) or a prior consultation (Article 36).
Article 31 also provides:
"The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks."
In other words, the representative must cooperate, on request, with the supervisory authority. It is not clear from this language what recourse, if any, the representative has to object to such cooperation, or to delay while it takes advice and so on. But this is more than exchanging information; this is "cooperating on request, with the supervisory authority in the performance of its tasks." The Representative represents the Controller or Processor, but may then be effectively commandeered by the supervisory authority to cooperate with it in the performance of its tasks. It may be a stretch, but perhaps, just perhaps, GDPR would allow the Representative to be compelled to cooperate with the supervisory authority, even against the instructions of the Controller or Processor. And yet Germany's New BDSG s.44(3) says that the Representative is an authorized recipient for civil proceedings on behalf of the Controller or Processor. Meaning, they are compelled by the law to act both as an agent of the Controller and Processor, and on the instructions of the Supervisory Authority.
Finally, Recital 80 drops a bombshell:
"The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor."
Note this last sentence! If the Controller or Processor, for example, do not comply with enforcement proceedings, the EU Representative will subjected to enforcement proceedings in their place. But that's just the beginning. Under Spain's new data protection law, section 27, the Representative has joint and several liability with the Controller or Processor.
The EU Representative thus gets the short end of the stick, or actually two short ends. Where it suits the supervisor, the Representative represents the Controller or Processor. Where it suits the supervisor, the Representative acts for the supervisory authority.
Over time we will see how this role develops, and how, if at all, courts and the law interpret these conflicting roles of the Representative.