Serious Privacy
The PICCASO award winning Podcast, for those who are interested in the hottest field of human rights and laws on the digital frontier. Whether you are a professional who wants to learn more about privacy and privacy laws, data protection, GDPR or cyber law or someone who just finds this fascinating, we have topics for you from data management to cybersecurity, from social justice to data ethics and AI and digital identity protection. In-depth information on serious privacy topics including interviews with privacy leadership, privacy culture, serious discussions, and more.
This podcast, hosted by Dr. K Royal, Paul Breitbarth and Ralph O'Brien, features open, unscripted discussions with global privacy professionals (those kitchen table or back porch conversations) where you hear the opinions and thoughts of those who are on the front lines working on the newest issues in handling personal data. Real information on your schedule - because the world needs serious privacy.
Follow us on BlueSky (@seriousprivacy.eu) or LinkedIn
Serious Privacy
A Walkin', Talkin' EU Rep: An Open Conversation
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
What is a representative under GDPR? Why do I need one? What do they actually do? Are these questions familiar to you? Does it sound like we are reading your mind? Then join us for this exciting unscripted conversation with Tim Bell, Managing Director of the DPR group - a walking, talking, EU representative.
If a data controller or processor does not have an establishment in any of the member states of the European Union, they have to appoint a representative. This is stipulated by article 27 GDPR. But does this really happen? The EU Member States seem to have concerns. In their evaluation report of the GDPR, they say it is uncertain to what extent controllers and processors from third countries have complied with the Representation obligation.
Apparently, there are cases where a representative has not been designated. Reason enough to dive a bit deeper into this topic and discuss the role of the representative and how to appoint one. In this podcast, we address a variety of topics such as the complexities of current EU representatives established in the United Kingdom and what that means for companies who will need a UK representative in the EU or vice versa.
Resources and Social Media
LinkedIn (company): https://www.linkedin.com/company/18312118
Hamburg DPA Investigation: https://datenschutz-hamburg.de/assets/pdf/27._Taetigkeitsbericht_Datenschutz_2018_HmbBfDI.pdf (p. 52/53)
EDPB Guidelines on Territorial Scope: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en
If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!
From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.
You're listening to Serious Privacy by TrustArt. Please welcome our hosts Paul Breitbarth and Kay Royal.
PaulIf a data controller or processor does not have an establishment in any of the member states of the European Union, they have to appoint a representative. This is stipulated by Article 27 of the General Data Protection Regulation. And yes, we're getting technical today. But does this really happen? The EU member states seem to have concerns. In their evaluation report of the GDPR, they say it is uncertain to what extent controllers and processes from third countries have actually complied with this obligation. And apparently there are already cases where a representative has not been designated. Reason enough to dive a bit deeper into the topic and discuss the role of the EU representative and how to appoint one. My name is Paul Breitbart.
SPEAKER_02And I'm Kay Royal, and welcome to Serious Privacy. Today we are honored to be joined by Tim Bell, and I will let him introduce himself, but we all know I'm going to start with the first question. And it's going to be an unexpected question, and I have a fantastic one this time. If you were an animal, what would you be?
SPEAKER_01Oh gosh. Well, I'll start off with the the introductor. Um Tim Bell from uh Managing Director at DPR Group, and we we solely dedicated the uh the GDPR EU representative work. As for what animal would I be? Gosh. Um something uh I don't think I'd be a cheese or a Jaguar, nothing too desperately fast, but something what it did. I like that. Maybe a crocodile, I suppose? Not not uh massively fast, but a uh a survivor. I've uh I've come through from the dinosaurs and and remain with us now.
SPEAKER_02Survival is top of mind right now, no doubt.
SPEAKER_01Well, absolutely.
SPEAKER_02Pa, what would you be? It's hard.
PaulI'll probably be a bird, maybe a blackbird. I would like to be able to sing as nicely as the blackbirds and roam around the country, sit in the shade, bathe in the sun, and just be free.
SPEAKER_02Well, I have to say that I think I'm a lot like Tim. My I would go towards being a cat. Now, if I had my choice, I'd be a red panda because who doesn't like red pandas, which are kind of like raccoons and pandas and cats all mixed together. Let's attitude of leave me alone until I don't want you to leave me alone. Yeah, that probably works.
PaulSounds good.
SPEAKER_02Beautiful. All right, let's dive into today's conversation. I want to start out by saying that I met him years ago, I believe, at the Privacy and Security Forum, which has switched to being a virtual forum this year during the circumstances, and we headed off immediately because um, at the time I was working as one of the lead consultants for Trust Art. And we have lots of clients that were looking for EU representatives for the GDPR. And the problem is a lot of people were confusing the EU representative with the DPO. And I was like, no, no, no, no, no, no, no, no, no, and trying to explain it, and then boom, Tim comes into my life, and miracles happen every day. So with that, Paul, I know you probably have some fantastic questions lined up, as you always do, so I will let you start.
PaulWell, I think the first question is one that you could have thought of yourself as well. What actually is that EU representative? And indeed, why is it different from the BPO? Tim, you explained it apparently very well to Kay already, uh, and to all of these other confused Americans. So what is the EU representative?
SPEAKER_01Well, actually, it's a it's a quick question. I um I'm fortunately benefiting here from the uh the EDPB on their guidance, where they've they've set out a very good summary of what the representative is. So I'm just going to quote this to you uh effectively word from word. So the representative has the aim of facilitating the liaison with and the and ensuring effective enforcement of the GDPR against controllers or processors that fall under Article 3.2 of GDPR. Now that's the the boring version, if you like. Basically, what the representative does is we act as the conduit for communications between the data subjects and the authorities in the European Union and the data controllers and processors, those companies which are actually dealing with that personal data outside of the European Union. So it it's really the role is there to help to facilitate the individuals enforcing their own rights and raising their requests against those processors and controllers. And that's really day-to-day the majority of what the representatives will do. And then the second stream of it is really we act to help the authorities to enforce the GDPR against these companies outside of the EU. And as we all know, that was one of the big efforts of GDPR is to bring companies outside of Europe into the scope of GDPR. But then obviously one of the issues with that is how do you actually enforce these obligations against them? There are a number of legal ways, and you know, I certainly won't be going into those, but by having the representative, effectively it gives them someone in the EU with a crosshairs on them. So if they if they start any enforcement action, if that company isn't playing ball, and ultimately if that company doesn't meet any enforcement action raised against it, so you know, potentially the fines, then the representative also is at that point stepping in to help. And it's much easier for the authorities to uh bring the fine against the representative and the representative then recover contractually from their clients than it is to just fine a company in the US or Australia or Japan or wherever it may be, and then try and enforce that uh fine internationally.
SPEAKER_02Now, the interesting thing about that is this is this is a legal issue that we come up against. So I'd love to explore this with you. If the purpose of the EU representative is explicitly, so they have jurisdiction over the company and they can't argue they don't have jurisdiction, what if the companies never appoint an EU representative?
SPEAKER_01That's a very interesting question. It's one that comes up a few times uh a few times, very regularly. Because we're Americans, of course it can. Absolutely. I mean, the question is actually by having a representative, am I putting myself more at risk of a GDPR fine because I've effectively got a European outpost that they can point at? And I would say personally, not really. Effectively, a company isn't brought under GDPR because they have a representative, they are under GDPR because they're processing the personal data. So the authorities have the ability or or the remit to investigate those companies and to raise the fines against them, whether or not that representative exists. Now, in theory, once those fines have been raised against them, um then it may be ever so slightly easier to recover, actually recover that fine money against the company if they have a representative, assuming that the representative has a very uh very solid contact in place with their clients. But it's uh it's the step in the process. So what would happen is an authority in the European Union would bring a fine against the company, let's say ACME Corp in the US just doesn't so we've got a an example out there. They raise that fine, ACME Corp then says, Oh, well, I'm not really too keen on paying a 200,000 euro fine. What I'll do is I'll I'll use my lawyers here in the US to frustrate that process. We'll use all of the legal methods that we can to try and delay that payment or to actually end up frustrating it and appealing everything when they're trying to enforce that fine from overseas. It will only be at that stage that the representative effectively becomes part of that enforcement discussion because then the authorities in Europe are going to say, okay, we've tried to recover from this company in the US, they are causing us problems, it's being very problematic. At that stage, having failed effectively to recover from the primary liability company, they would then go to the representative. So it's really there's ultimately eventually in the end, it may be easier to recover against a company if they have a representative than if they don't. But you're talking about the last couple of percent at the very end of that process where the difference is going to be made. And not appointing a representative to avoid GDPR liability certainly isn't going to work because you are liable if you are selling uh goods uh selling goods or services to the EU or you're monitoring people in the EU. Uh underwater.
PaulOh yes, I fully agree. Uh and believe me, DPAs will find ways to enforce the GDPR even if you do not appoint that representative. Uh, they have done so in the past. I know that when I was still with the Dutch DPA and we had to um enforce uh uh an order against WhatsApp that still was independent at the time, following a joint investigation with the Office of the Privacy Commissioner in Canada. Um, also then we found ways, and there are bilateral arrangements between data protection authorities, there are multilateral arrangements between data protection authorities. So if you have overstepped your mark and contravene GDPR, for sure they will find you.
SPEAKER_01Yep, absolutely.
SPEAKER_02And that's really the I don't think anybody can really escape escape regulators, can they?
SPEAKER_01It it depends on how effective the regulators are, I suppose, but that's a topic for another day.
SPEAKER_02I think they're better at tracking people down than alumni associations.
SPEAKER_01Quite possibly.
SPEAKER_02Who can ever get away from their alumni? Sorry, Paul, go right ahead.
PaulNo, that's fine. That's fine. Um because then we are we are talking about indeed the companies that are not established in the EU. And now without going into too much legal technical detail, being established in the EU basically means that you have an office here, right? A meaningful office with something to say and that people can make an impact on what is being done with personal data that is being collected from people that are physically in the European Union. So as soon as that is the case, but there is no office, then they would need a representative.
SPEAKER_01That's it exactly. So yes, that that establishment, Kristen, as you point out, is a is a very complex one, and uh a lot of companies may be surprised to find that they actually do have that establishment because they believe that their European efforts may be quite minor and not actually cross over that threshold. But yes, any any company who doesn't have any location in the EU, or or even in some cases if they do have small locations but they're not customer-facing ones. Uh so we have a couple of companies where they do actually have an establishment in the EU, but they just wouldn't want to list it on their privacy policy as a point of contact because it may be a a factory or um a software developer unit. So it's it's really there kind of to be listed on the privacy policy. So uh as when you're writing that privacy policy to be compliant with GDPR, you're going to want to list a way that individuals can raise their their subject access requests. And uh if you haven't got an address in the EU to which they would be able to raise those requests, then certainly that's likely um to be the point to which you need to add that representative in. And and actually that's I mean that's one of the the put the things I think is very interesting about the representative is that uh it's a very visible uh uh element of compliance or non-compliance under GDPR. Because uh you either have an office in the EU, which will be shown on your website no doubt, and easily available to those individuals, or you have a representative listed in your privacy policy. Now any authorities in the EU who are looking at a company and trying to figure out you know maybe they've just had some minor concerns raised, maybe they're just having an initial investigation. The first thing they're going to do is go to that privacy policy and then looking at that privacy policy, if there isn't a European address or a representative, straight away they've identified some non-compliance there. So it's something which is very visibly shows compliance, but uh or the lack of it very visibly shows non-compliance.
PaulSo what about all these companies that thought they had an EU representation uh namely in office um somewhere around London or anywhere else in the UK and are now confronted with Brexit? What what happens there?
SPEAKER_01Absolutely, Brexit. Um well I I'll avoid going into too much detail uh or or uh about my own personal views of it. I I suspect as a a European citizen yourself, Paul, that you you have similar views to myself. Um probably. But regardless of of views, it it is now very much happened. In fact, on the 1st of January of this year, so a few months ago now, the European the UK technically left the European Union. But we're currently in the transition period during which until possibly the end of the year, maybe a little later, the UK will continue to be treated as uh an EU member state for the purposes of EU law. So at the moment, although we're not technically an EU member state, GDPR applies directly to us still. Now, when we leave or when the transition Brexit period the Brexit transition period formally ends at the end of 2020 or later if it is delayed, which most people are hoping for apart from the UK government, then what happens is the UK will no longer be part of the EU. It'll be a third party for the purposes of GDPR. And that will mean not only are there potentially issues with the data transfers, and that's something again which is probably spend another five hours talking about on its own. But any company in the UK which doesn't have an EU establishment, so if its office is in London but it doesn't have an office in Paris or Berlin or elsewhere, then those UK companies are going to need an EU representative under this law. And it's it's something which there's been lots of data discussed about Brexit. Um it is one of the later discussed elements. Certainly when it comes to the GDPR, the the part that's talked about most is the uh the transfer of data, whether the UK is going to be an adequate country under GDPR. But this element of the representative is something which is going to really catch a lot of people out. Because the representative has never really been a part of the GDPR conversation in the EU, apart from the real experts, the the lawyers who are really, really clued up and have read GDPR cover to cover. But because no European The the privacy geeks. The privacy geeks, absolutely. Um those of us who uh who are intrigued by the the detail, even if it doesn't actually apply to us at any point. Um and and this is the thing, yeah, the the representative has never applied to any EU company. So here in the EU it's just not been part of the conversation, you know, and I I say EU there, including the UK, and that has actually led to a lot of problems initially um and and still to this day to an extent, about those companies outside of the EU knowing about this obligation. I I call it the hidden obligation because it's not being talked about in the EU. And that means that the companies outside of the EU, particularly those SMEs who don't have the European location, because the big global companies, they'll have an office in France, they'll have an office in the UK, they'll have an office in Ireland, offices everywhere. But the SME companies who are the ones who may need the representative, they aren't knowing about this detail because they're probably getting a lot of their information from Google, to be honest. You know, it's free advice, and you know, for an SME, it can be certainly uh sometimes beyond their means to spend thousands of dollars or whatever currency it is bringing in a proper consultant. So if they're doing their GDPR preparations by Googling, what they're getting is a lot of material written by European lawyers for European companies that is mentioning the data protection impact assessment, the privacy notice, the need for consents and uh other lawful means of processing, but uh it's not mentioned in that representative. So these companies may be doing everything that they think is necessary to meet GDPR, but they're just missing out on this element because it it's just not part of the conversation that's that we're having in Europe, and so that is then passing on to our privacy peers uh around the world.
PaulAnd it will now become relevant for almost every single company doing business in mainland Europe or in the UK because I understand this obligation is also part of the UK GDPR, so European companies no longer established in the UK because they had representatives uh anywhere else in in one of the EU 27 member states, they now need a UK representative as well.
SPEAKER_01Absolutely, and and this is um going to catch a lot of European companies, uh when I say European, I mean EU uh companies out because yes, the UK companies are looking at this and and we have a change in law so that you know we're not under GDPR anymore, we're under the Data Protection Act 2018 as amended. But uh in the EU seven 27, those companies will still be under GDPR. GDPR won't have changed, but but suddenly if they're selling to the UK, the new UK law says that basically the equivalent role exists. If you're selling to the UK or monitoring people in the UK and you don't have an office in the UK, then you need to appoint a UK representative. And I've said UK there a lot. Hopefully that's not too confusing. But yes, the the same um the same role is required of companies selling to the UK without a UK location establishment as applies to companies selling to the EU without an EU establishment. So you end up with instead of having the two zones we originally had with EU and rest of world, we're then going to have EUR and UK and Rest of World. So any US company, for example, so talking about ACME Corp again, that US company, if it doesn't, if it needed a representative before, then it won't have had an establishment uh in the EU 27 or the UK. So it'll now need an EU representative and a UK representative if it's selling both to the EU and to the UK. And uh US companies, many of them may have uh a single office in Europe, and that office will often be in London because of the convenience of language. We all speak English, so it makes sense to put a uh an office there.
PaulAnd if it's not in London, it's in Dublin.
SPEAKER_01If it's not in London, it's in Dublin, absolutely. The ones in Dublin will be fine. The companies with the office in Dublin will be fine for the EU representative but may need the UK representative. The companies whose office is in the UK will be fine for a UK representative but may need an EU representative. So it's um it it really changes the position for a lot of companies who thought that they'd got everything in place for GDPR and who, to be honest, are likely to not be um looking in a great deal of depth at about how GDPR, uh how Brexit will affect GDPR, on the assumption that they already have everything in place to cover the UK when it was in the EU anyway.
SPEAKER_02And how many companies do we know that think that they are completely covered for GDPR? Just saying.
PaulIs there one?
SPEAKER_02Right, there has to be one or two out there. But you know, that's interesting, Tim, because that was one of the things I I was curious uh about you. Or do you have offices in both?
SPEAKER_01So, yeah, but um we're in quite a fortunate position. Uh uh we're the only EU representative service which has a contact location in all 28 of the EU countries.
SPEAKER_02So when I did not realize that. I'm glad I asked.
SPEAKER_01Well, absolutely, no. Thanks for for checking. So, no, we um it it was originally done very much as a uh a customer experience benefit, so that it didn't matter if you're you're living in Estonia or Romania or Portugal uh or Denmark or wherever, you can always raise a request within your own country by post. And so that was something we sold to our our clients as you know, you're offering the best service to your data subjects here, um, so they can raise their requests. But then the uh European Data Protection Board guidance, which I mentioned earlier, uh it's guidance uh 03 slash 2018, if anyone's looking it up.
SPEAKER_02And because somebody will look it up.
SPEAKER_01We'll put it in the show notes. Absolutely. Well, it it's one that probably many people have already read because it's the the guidance note relating to extraterritorial effect. Um so that the first three quarters, uh four fifths of it is about how GDPR applies outside of the EU. And then at the end, they've just added some clarity about the representative. What they did was add a lot more detail about. where the representative should be. Because GDPR, the original text stated that the representative should be in one of the countries in the EU where the the controller processor has data subjects. Now that's fine, but it left it quite open. You know, if you had um 10 million people in Germany but one in Bulgaria, then you could technically have your representative in Bulgaria. Now the guidance came along and said actually it's a matter of good practice and certainly I I think good practice is what's necessary to show um privacy by default design and default. As a matter of good practice you should have your representative established in the country where the largest number of data subjects is based. And that makes sense so that those individuals are more likely to be able to raise their requests in their own country. But it then goes a little bit further and it says that the individuals in other EU member states should have easy access to that representative. To my mind that means that really the individual should be able to raise the request in their own country or at least in a neighbouring country. So if you're talking about maybe France and Germany who are who have a a border maybe if you've got most of your data subjects in France but a significant number in Germany and you only have your representative in France then those German individuals it's only across a s a single country line, um international boundary so it won't be too difficult to raise their request. But if the data subjects are based and I I realise Romania and Bulgaria are getting a bit of mention here, but it's because they're the the further out ones actually it would be no easier for a a Romanian individual to raise a request to France than it would be to the USA. But it's difficult to say that that representative in France is effectively representing the American company to the Romanian individual. And so that's uh has proven really beneficial for for our clients because they now have that network of contact locations all around the EU. So if they see a shift in their demographics so maybe if they start the year with most of the people in France but then they get a really big contact in Poland then they'll see that that demographic shift so most of the individuals are in Poland technically they should be looking for a new Polish representative effectively. But if they have uh a single representative which has offices in all of those countries uh then what it means is they're covered and it's less of a worry for them as those demographics change.
PaulNo, that's certainly clear but just the legal obligation is to have one in a member state to which you have connections, right? It's not that you always need to have all EU27 plus EEA countries plus the UK covered in all situations it would be one for the EU and one for the UK.
SPEAKER_01Yes for the for the most part I mean I'd I'd I would say if if data subjects are spread across the entire EU it may be difficult to justify just having a single one especially if that one was on the edge of the EU so say Ireland or France or Portugal for example you know kind of around the edges and and further away. But it comes down to this best practice element again from the guidelines. So yes absolutely the the wording of GDPR says you need one and it should be in one of those countries where you've got people but it's it it's kind of this best practice obligation. It's the the privacy by design in defaults you know companies in order to prove they're taking GDPR seriously need to show that they've considered the options and and done their best. And but I think personally that having a a single location representative if the data subjects are spread across the whole EU may be a struggle to uh to say you've been fully compliant with the representative obligation.
PaulSo let's say you have found out that indeed you need a representative and that you have selected where you want that representative to be what do you need to take care of? Can you just say well you are my representative or are there further administrative obligations to take care of like notifying the DPA, putting it in your notice contracts what what should I think of?
SPEAKER_01It shouldn't be too complex a process. Certainly it shouldn't be as complex as appointing a DPO um because the DPO will need will be a lot more involved in the day-to-day activities of that company and the processing activities. The representative is by definition very much separate um sits in Europe outside of the company is outside of Europe. The obligations under GDPR are fairly simple you need to have a contract in place so there needs to be something which shows that the representative has been officially appointed to that role so they're not just acting as a a messaging service they are an official representative under Article 27. But there's no obligation to notify the authorities of your representative as there there sometimes is with the DPO there's uh no obligation to make any formal documentation there's no specific document in which you'd um you'd have to supply um which is separate but you would need to amend your privacy policy which you'll already have and then the contact section what we generally recommend is simply include the beta details if you want to contact us to exercise your privacy rights contact us at and the usual email addresses and and postal addresses and then underneath that state if you're uh based in the EU and you have rights under GDPR you may also contact us via our data protection representative who is whoever it may be and you can contact them through this email address on this web page at these addresses etc etc etc and then after um the Brexit transition you then have a further section underneath that that would say if you're based in the UK you can contact our UK representative at blah blah blah um so that's really the the one place where it's most important to note it in the privacy policy. It's not specifically set out as an obligation in GDPR but it's implied simply by the fact that you need to let these individuals know about your representative and that's actually in the the relevant recital um recital 80 of GDPR for the the the super geeks who want to go into the uh the recitals as well. Recital 80 yeah recital 80 recital 80 is the the place to uh to find the the the kind of thinking behind the representative obligation.
PaulWhat about the data protection authority are they just going to find out from your notice or do you typically send them letters as well saying Company X has now uh appointed us as their representative or does Company X send the letter saying that they have appointed you as their representative?
SPEAKER_01No, it's uh there's there's actually no uh notification obligation to the authorities at all. There is an obligation I I should also add that to set out the details of your representative in your records of processing activities under Article 30. And the representative actually is required to hold a copy of those and make them available to the authorities if they request but again that's uh it's an internal document it's not something that you would send to the authorities as a matter of course you'd simply have that in your company you'd use that as a reference document but you would make it available to those authorities on request. So the representative really is very much in that same position where you wouldn't notify the authorities up front and you know that's that's all to the better both for the companies themselves to save them a job but also for the authorities to save them at a time when they're very busy the extra administration there. So it's really just listed on that privacy policy and and that's the purpose of them is to be listed on that privacy policy to to make people aware of this method of contact it always should be listed on that policy and that means that the authorities always know that they'll be able to find it in that document.
PaulThat sounds pretty straightforward to me.
SPEAKER_01Fingers crossed fingers crossed I mean it's it because it's one of the the less known obligations and but because uh to date the the majority of the enforcement efforts have been within the boundaries of the EU or where they've been outside they've been large global companies which have had locations and establishments in the European Union so they haven't needed a representative it's only really now that we're a couple of years in that those smaller and and medium sized companies outside of Europe are starting to see the the enforcement process reach them.
PaulI've actually found a case on the underrepresentative I was looking through our uh through our database earlier today and saw a case from Hamburg in their 2018 annual report and the Hamburg Data Protection Authority at the time had reviewed a data breach uh by an international soccer association related to the Russia 2018 World Cup and apparently at the time the personal data of 2800 tournament volunteers was accessed by unauthorized parties. But they had a representative and they also had a representative located in Hamburg pursuant to Article 27 so they were able to notify the data breach through their representative to the appropriate authorities. So there was no sanction issued but the Hamburg DPA showed in their report how important it can be to indeed appoint that representative even for something like a soccer tournament.
SPEAKER_01Oh absolutely and it will have been a a a huge uh plus point for for that company to have that representative in not only in Germany but actually in the city that that will have really when the authorities were looking at that breach that will have acted to to give them a very positive view of that company because it shows how much they're trying to put those the ability to enforce those rights in front of those individuals in Europe.
SPEAKER_02When I work with my clients which I don't do as much hands-on client work anymore but when I talk to people about EU representative they're really curious as to what do you do and I know we've spoken about the EU representative duties but let's go a little deeper what do you do on a daily basis? I'm assuming you're not handling issues for all of your clients every day like 10-minute increments.
SPEAKER_01No absolutely so really the majority of the operational work we do is uh dealing with the subject access requests we receive on behalf of our our our clients so there'll be um an individual in the EU let's say France or Germany they want to raise a request of ACME Corp in the US they will email us they'll write to us they'll contact us via our website landing pages to raise that request. We will then acknowledge that to the individual which we think is an important step because it then gives that individual the reassurance that their request is being looked at and we forward that on to our clients with some quite high level guidance. Now I I'm a lawyer by training myself but yes I know it's uh in recovery at the moment I'm hoping hoping to have been uh been clean from lawyering for a couple of years soon um received knowledge send on to our clients and when we send on to the clients we include some quite high level guidance about how to respond to it. We can't give them specifics about how to actually respond to that particular request as we don't know the the full inner workings of the processing activities but we'll give some details like the the time scale for example they should respond within a month of receiving the request uh certainly the first thing we always tell them is to make sure they've fully ID'd the individual to make sure that they're not giving information to someone else who's trying to recover that information uh about a different person. We can't give specifics because we're not a law firm. Uh just something to help the clients um really direct their responses to those requests. That's the the biggest part of what we do day to day. We also receive the requests from authorities uh every now and again and as as you suggested you know it's it's not something we do regularly uh fortunately and I'm as much as I'm not suspicious I'm gonna touch wood anyway we haven't had any clients who've had any uh significant issues uh or have been investigated in any significant way that possibility remains and and but it is the representative's duty to act effectively as the face of that company in the EU. We can't really produce anything um that's material uh so we don't uh we we won't speak on behalf of our clients and this comes back very much to the importance between splitting up the DPO role and the representative role right because as a representative we're under a contractual duty to our clients we will do what they tell us and as a DPO they would be giving a lot more guidance and yeah direction absolutely the the DPO it's the DPO's duty to put their hand up and say look that you you're doing this wrong I think you should be doing this you should be changing that we need to make this work under GDPR whereas there was Oh I totally make a great DPO I'm good at telling B stop you're wrong absolutely well you you are the the perfect archetype of the DPOK you know you um you're very very keen on privacy but also very keen to make sure that everyone else is very keen on privacy.
SPEAKER_02That's probably the nicest description I've heard yet you're you're right up there with Bill Lee who told me I was the most blunt person he's ever met despite all the Europeans he knows.
PaulYes um I wanted to say you're not Dutch are you?
SPEAKER_02I'm just Southern but let's also here here's the the key thing Tim so we're coming to the end of the session the conversation has been phenomenal. I mean I knew having you on the podcast would be fantastic especially since a lot of people have no clue what an EU representative actually does when it comes to the GDPR but I know that in the midst of asking all of our questions you may have had an idea when you came on here that you wanted to make sure that you were able to share something in particular. Whether it's an anecdote whether it's a piece of advice whether it's a stay away from XYZ so I want to make sure that we give you the opportunity to share that piece of information that you're like oh if I could just tell everybody this one thing, what would that be?
SPEAKER_01What would it be? Well actually I I have the the advantage of of talking to UK and to Paul and you you've actually already pulled the vast majority of the the relevant information out of me. So I I don't have a huge amount to add. I guess the only thing that I didn't really mention was there are a couple of exclusions um into the representative obligation but they're quite minor and they generally won't apply to most commercial organisations.
SPEAKER_02But we all love exclusions.
SPEAKER_01We love exclusions. Well as I I may have mentioned before I I'm a lawyer by training so um yeah it's exclusions and exemptions are are where where we live it's as it is generally applies to every company outside of the EU which doesn't have an EU office but it doesn't apply to public authorities so any government organisation or publicly funded organisation there is some uh some I I guess a bit of a grey area there so in um in a lot of Europe the for example the the healthcare will be uh public sector organisations they'll be funded by the governments of those countries so they'll be considered public sector and those hospitals wouldn't have the representative obligation i if it was relevant to them but where you have countries which have more of a private healthcare situation so if they they have hospitals which are paid for privately or through insurance rather than from government funds those those hospitals may not fall under the public sector exemption. So it comes under elements of how you're funded and how you're controlled as well if the the government tell you what to do. The second exemption is for a company or for for data processing activities which are outside of the scope of European Union law. And there are even within the European Union some elements of law which are deemed to be important enough to national interests that EU law doesn't touch them and the individual countries set their own laws in those areas. So it tends to be quite limited and it's really around things like national security the interception of messages and and that type of thing kind of legal enforcement and that type of effort and so that tends to be exclusion which is very rarely relevant. And then the third one is the most interesting it's the occasional exemption and there's uh it it's used I think by a lot of companies who just go oh we'll just say it's okay we only occasionally deal with EU data so you know it's only about a tenth of our business so we'll we'll just say we fall under the occasional exemption. But you actually need to pass three elements to pass that test. The processing needs to be occasional and there's some very specific guidance around that when it comes to the DPO role because again there's an exclusion of even the DPO in some circumstances where you only process EU data occasionally and I won't go into too much detail but basically if you are processing EU data as part of your core business even if you it's only um the EU data is only a small amount of the total data then it's quite possible that you wouldn't fall under that exemption. There's more information under the DPO guidance so I'll I'll leave that rather than going into too much detail. The second element is that you can't be processing large volumes of the more sensitive categories of data such your medical, religious ethnic trade union membership that type of thing. And the third element is it cannot that the processing is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature context scope and purposes of the processing so it also has to be processing of data in such a way that really that data couldn't affect those individuals if it was to be lost.
SPEAKER_02So it has to be very innocuous data.
SPEAKER_01Exactly yeah really very minor uninteresting data which you wouldn't be able to draw any interesting conclusions or for perhaps the criminal element you'd be any valuable uh information out of that data. So there are three exclusions but I personally take the view that it's very hard to actually fall under any of the exemptions in this area. So I'd I'd certainly advise a degree of caution to any company which was particularly using the occasional exemption and to maybe get some advice from a consultant or lawyer about whether that's actually an accurate exemption.
SPEAKER_02I think on that one I would actually say yeah get a written legal opinion on it from a European attorney.
unknownYeah.
PaulYeah and be indeed very reluctant to use them because data protection authorities and the courts um have never been uh very keen on using the exceptions and exemptions in data protection law or even in in all the fundamental rights agreements that we have um so be very careful there. With that piece of advice Tim thank you very much for joining us today um it was a pleasure having you on and hopefully people are a lot more wise now about what the EU representative is and does and how they should appoint one we'll make sure to put some more information in the show notes on how people can reach you. If they have any further question or would like a discussion with you to sort out their legal stuff if they haven't done so yet. And to all our listeners thank you again for listening. If you like our series please do tell your friends and colleagues about us. Should you have any questions or suggestions if you want to be a guest on the show please reach out to us via SiriusPrivacy at trustark.com or via Twitter at podcastprivacy. You will find Kay on Twitter as Heart of Privacy and myself as Europol B. Thank you for listening to this episode of Sirius Privacy. We'll be back next time until the next episode goodbye