The GDPR does not necessarily apply to every organization in the world. It applies to all organizations that are established in the EU. However, for organizations established outside the EU, the GDPR may or may not apply, depending on the circumstances. Establishing whether the GDPR applies to an organization is essential to ensuring the organization’s ability to satisfy its compliance obligations.
An organization established in the EU is subject to the GDPR, which overrides national laws that implement the Directive, to the extent that these have not been reconciled.
An organization based outside the EU is subject to the GDPR if it either: (a) offers goods or services to EU data subjects; or (b) monitors the behaviors of EU data subjects. Any organization that is subject to the GDPR should review its obligations under the GDPR and take a risk-based approach to satisfying them.
Appointment of Representatives Where EU data protection law applies to a controller or to a processor established outside the EU that controller (or processor) is obliged to appoint a representative in the EU, as a point of contact for EU data subjects and DPAs. A controller (or processor) established outside the EU must appoint a representative unless the processing is occasional, small-scale and does not involve Sensitive Personal Data. The appointment of the representative is without prejudice to legal actions that could be initiated against the controller. The representative must be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by supervisory authorities and data subjects, on all issues related to data protection. A representative may be subject to enforcement actions by DPAs in the event of noncompliance by the controller. A representative is not a DPO.
Under the GDPR a representative may be liable for the controller’s failure to comply with the GDPR. Organizations should therefore be wary of agreeing to act as representatives for third parties without strong contractual indemnities in place. The responsibilities of the representative are mainly duplicated from those of the controller (or the processor). This consists in:
- Maintaining the records of processing activities
- Cooperation with DPAs
- Reporting data breaches to DPAs
- Notifying data breaches to affected data subjects
By Xavier Gobert & Nicole Rensonnet.
Last modified: June 13, 2018