Territorial scope of GDPR. Representative or DPO? We help answering that question for many of our clients. It is an important one because of the considerable fines that maybe imposed if a company gets it wrong.

Article 3 of GDPR sets out the territorial scope of the Regulation:

• If the processing of personal data takes place in the context of the activities of an establishment or organization in the EU, regardless of whether the processing itself takes place in the EU.
• If the personal data of individuals who are in the EU is processed by an organization not established in the EU and the processing concerns the offering of goods or services to individuals in the EU, or  monitoring the behavior of individuals that takes place in the EU.

In November 2018, the European Data Protection Board (the “EDPB”) issued guidelines on the territorial scope of General Data Protection Regulation. According to the EDPB, this new scope represents a significant evolution of the EU data protection law compared to the framework defined by the old Directive.

For example, if your company is not caught under the establishment principle of 3.1 GDPR it still mighty fall within the extraterritorial reach of 3.2 GDPR. Therefore your company will have to appoint a representative in the EU.

In practice, the function of representative in the Union can be exercised based on a service contract concluded with an individual or an organisation. It can therefore be assumed by a wide range of
commercial and non-commercial entities, such as law firms and consultancies. Such entities however need to be established in the European Union. A representative can also act on behalf of several non-EU controllers and processors.

It is interesting to note that the representative is different from the data protection officer. The first should have a written mandate to represent the company. The second should be in a position to perform their duties and tasks in an independent manner.

Representative or DPO? We serve as the data protection officer for various of our clients. And we are also the representative for another set of clients. Please contact us if you would like information on the various possibilities we offer.

Article 37 of the General Data Protection Regulation entails:

If your company processes special (i.e. health data, religious data, racial data, criminal offences, etc) categories of information on a large scale you must appoint one and communicate the details of that Officer to the authorities. Article 37 of the General Regulation of Data Protection lays down under what conditions exactly you need to appoint a DPO.

You may appoint an external data protection officer. That data protection officer can work on the basis of a free lance contract. If you would like the discuss the possibility of us becoming your DPO, do contact us. We are the DPO´s for healthcare  and insurance companies and as such have experience in the protection of special categories of sensitive data.