Frequently Asked Questions on PrighterGDPR-Rep
Does our company need an Art 27 GDPR representative in the EU?
Companies established outside the EU are required to appoint an EU representative according to Art. 27 of GDPR if they:
offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or
monitor their behaviour (e.g. cookie profiling).
According to the Guideline 3/2018 of the European Data Protection Board (EDPB) on the territorial scope of GDPR, this applies to both controllers and processors. For processors not established in the European Union the applicability of GDPR depends on what the “processing activities” are related to. If the data processing conducted for the controller is related to the offering of goods and services or to the monitoring of behaviour, GDPR applies to the processor in addition to the controller.
According to Art 27 GDPR, controllers or processors are exempted from the regulation if ALL of the following criteria are met:
personal data is only processed occasionally, which is only from time to time and non-systematic; AND
data processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences; AND
data processing is unlikely to result in a risk to the rights and freedoms of data subjects.
It is hard to meet ALL of these criteria, in particular the criterion of processing data only occasionally proves to be a big hurdle for most businesses.
Your company's intention to establish commercial relations with EU customers needs to have manifested in a business activity. The mere accessibility of a website in the EU, a mention on the website of an e-mail or geographical address, or of a telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the intention to offer goods or services to EU customers. The EDPB listed the factors to be taken into account when assessing if goods and services are offered in its Guideline 3/2018 on the territorial scope of GDPR. Some of the factors are:
- using languages of EU Member States, or offering payments in a currency of an EU Member State;
- using Google or Facebook ads to address the EU market, or any other marketing activity directed towards EU customers;
- mentioning EU references or testimonials;
- the activity at hand being of an international nature, such as certain tourist activities;
- mentioning dedicated addresses or phone numbers to be reached from an EU country;
- use of EU top-level domains;
- description of travel instructions from one or more other EU
Member States to the place
where the service is provided;
- offering the delivery of goods to EU Member States;
In a nutshell, if your company has any outbound activity in the EU or if your company enables or guides EU customers to find your company's product, GDPR is likely to apply.
Not all online collection or analysis of personal data of individuals in the EU counts automatically as “monitoring”. Monitoring the behaviour of EU data subjects implies an intention to collect data for a specific purpose. Therefore, any kind of tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques qualifies as "monitoring". Again, the EDPB gives some more guidance in the Guidelines 03/2018. According to the EDPB, monitoring may not only take place in the internet but also through wearables and other smart devices. Monitoring activities include:
- Behavioural advertisement
- Geo-localisation activities, in particular for marketing purposes
- Personalised diet and health analytics services online
- Market surveys and other behavioural studies based on individual profiles
- Monitoring or regular reporting on an individual’s health status
The GDPR extends its ‘territorial scope’ to controllers and processors that have their registered office in a country outside of the EU. As a result, the exorbitantly high penalties of up to €10 million or 2% of the worldwide annual turnover can apply if a processor or a controller does not comply with the obligation of appointing an EU representative. The penalties may be enforced by individual claims or by authorities. Furthermore, your partners in the EU may be obliged to stop transferring data to your company.
What should I look for in an Art 27 representative? And what is Prighter’s approach?
The representative shall act as an addressee for authorities and data subjects to facilitate the communication with processors and controllers outside the EU. The representative needs to be mandated in writing by the controller or processor to evidence the appointment. Furthermore, the representative shall, according to Art 30 GDPR, maintain the records of processing activities and shall make the record available to the supervisory authority on request.
How has Prighter's business model been designed to meet these requirements?
- To facilitate communication, Prighter established a network of offices all over Europe and developed high-end tech solutions for communication with both authorities and data subjects;
- A written appointment is part of the onboarding flow. Clients can sign a Power of Attorney directly online in an end-to-end digital process; and
- Currently we assist clients in the drafting of records of processing activities by providing prefilled templates along with extensive support and guidance.
First of all, the EDPB clarifies in its Guideline 03/2018 on territorial scope that only one representative needs to be appointed in an EU Member State, which can then serve for all other Member States. In the event that a significant proportion of the customer base is in one particular Member State it is best practice that the representative is established in this Member State. In any case, the representative will be easily accessible for data subjects in all Member States no matter where the representative is located.
How does Prighter approach these requirements?
- Prighter has offices and partner offices in all major EU Member States, this keeps you compliant and provides you with a local and easy accessible representative for all your customers, no matter where they are located; and
- Prighter is not just a postbox, we have real privacy professionals in every location.
Our goal is to enable non-European companies to comply with GDPR through a combination of legal expertise and technology to deliver this expertise. We put the practical insights we gain as a law firm (due to our role as the appointed Data Protection Officer (DPO) for major banks, financial service providers, tech companies,...) into the development of our tools which easily handle Data Subject Requests (DSR) and data breaches, and into the management of records of processing activities. We support you in all privacy related matters, but above all we support you in growing your business by enabling you to improve customer trust by handling privacy matters in an efficient and professional way.
The core of our service is representation according to Art 27 GDPR. Around this core we have built features, services, and tools which enable you to leverage your compliance in order to increase efficiency and gain trust with your customers and partners. For more information on the services offered visit “GDPR-Rep Services”:
By subscribing to the EU GDPR Representation Program, you appoint us as your EU GDPR Representative. Our highly professional team of lawyers and privacy professionals is your first line of defence to deal with requests from data subjects and data protection supervisory authorities (SA)
We provide you with a Compliance Landing Page for you to brand and to include privacy and security related certificates, as well as your privacy and cookie policies. This is your window into the world of privacy-related matters which helps you to increase customer trust and confidence by demonstrating your privacy regulations readiness. The Compliance Landing Page also serves as an access point for privacy related requests which you can then easily manage with your GDPR Privacy Software Tools.
GDPR Privacy Software Tools:
We have built a unique, specialised tool to manage the lifecycle of any data subject requests (DSRs) from existing or potential clients. This saves you time, internal resources, and money, and reduces your compliance risk substantially. When it comes to supervising authorities we cover all of their standard requests (e.g. requests to submit records of processing activities). Additionally, we offer you a data breach tool that gives you access to our services in any critical situation which involves your data being compromised.
This is where our innovation comes into play. We built the Data Subject Request (DSR) management tool to channel, structure and filter all incoming privacy requests from clients and authorities. You can handle requests from millions of data subjects in one tool with the help of our proprietary AI technology. We cover and support all aspects of the formal handling of DSRs including communication with data subjects. What actually needs to be done in your database (e.g. delete a data subject), is always your own decision. The DSR tool is designed to manage the lifecycle of a data subject request to get all formal aspects right and offer you a framework of advice. Find more information on this tool here:
What is the difference between a DPO and an EU GDPR representative?
You are obliged to appoint a data protection officer (DPO) if your company meets one of the following three criteria:
the processing is carried out by a public authority or body (except for courts acting in their judicial capacity);
the core activities of your company consist of processing operations which, by virtue of their nature, their scope and/or their purpose, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of your company consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
More information regarding how the criteria are interpreted is outlined in the Guideline of the Art 29 Working Party on Data Protection Officers. In comparison to the requirements for appointing a DPO, a GDPR representative is needed when offerings goods and services or monitoring EU data subjects.
In a nutshell: the criteria for the requirement of a DPO reflects a higher risk involved with certain processing activities, whereas the requirements for a EU GDPR representative are triggered when your company’s processing of personal data of individuals located in the EU is noticeable.
A Data Protection Officer (DPO) shall be involved in all issues related to the protection of personal data in a company. The role of a DPO is also to monitor the company’s compliance with GDPR, assist in data protection impact assessments, and to advise the management on privacy by design and privacy by default as well as all other privacy related matters. Hence, a DPO needs to be close to the company and needs to be involved in the day-to-day business. Whenever possible, the DPO shall be located in the region of the company’s headquarters.
In comparison, the EU GDPR Representative is by nature operating at a distance when representing the company due to the lack of an establishment in the EU. The representative is therefore a substitution for a subsidiary, branch, or other establishment.
No, there is a conflict of interest between the roles of DPO and GDPR representative. The EDPB states in its Guideline 3/2018 on the territorial scope that there is a possible conflict of obligation and interests in cases of enforcement proceedings, and because of this the EDPB does not consider the function of a representative in the EU to be compatible with the role of data processor for the same company, in particular when it comes to compliance with the respective responsibilities and compliance of a DPO and a representative.
How can our company appoint Prighter as our EU GDPR representative?
The onboarding process is simple and can be completed in a couple of minutes, but the best part is: We grant your company a free 14 day trial to keep the appointment completely risk-free.
Choose a plan. The available plans depend on your company's size. The size of the company is defined according to the Eurostat categories which measures by the number of people employed. "Employees" includes part-time workers and freelancers.
Enter your company's details. Your risk-free 14 day trial period starts when you complete this step.
After registering, you will find a download button for the Power of Attorney (PoA). A signed PoA is required as evidence of the appointment of Prighter as your representative in case of requests by supervisory authorities. We kindly ask you to sign and upload your PoA.
Our team will check and verify the provided information on your company and the PoA. This is usually done within a couple of hours.
Please note that other than EU GDPR representation, a NIS representation needs to be notified to the relevant authority.
Every separate entity requires representation according to Art 27 GDPR. Nevertheless, Prighter offers your group the option to sign up for a group package to manage the representation of your affiliates through one main account, with sub-accounts for every affiliate. You will be required to internally select a centralised point of data protection management for the group to handle both the main account and the sub-accounts with one centralised login. The number of affiliates covered depends on the package you sign up for. The "small enterprise" package includes one affiliate, the "medium enterprise" package includes up to 5 affiliates, and the "large enterprise' package includes an unlimited number of affiliates. All included group entities must operate in the same industry, offer the same range of products, and have the same or a linked brand.
Subscription pricing is based on your company size according to official Eurostat categories and the number of entities to be covered, starting from €19 per month. We offer a 14-day trial period on all subscriptions so that you can get to know our service without any risk. All of our pricing is transparent and there are no hidden costs as we do not charge per request from data subjects. You can choose between monthly, quarterly, or yearly payments. Your company gets a discount for quarterly payments and an even higher discount for the yearly payments option.
Furthermore, you can choose between paying with credit card, or via bank transfer. We accept almost all credit cards. Bank transfers is acceptable in EUR, USD and GBP for annual payments. Please contact our support team should you have any further questions!