Tag: DPO

Territorial scope of GDPR –  Representative or DPO?

Territorial scope of GDPR – Representative or DPO?

Territorial scope of GDPR. Representative or DPO? We help answering that question for many of our clients. It is an important one because of the considerable fines that maybe imposed if a company gets it wrong.

Article 3 of GDPR sets out the territorial scope of the Regulation:

  • If the processing of personal data takes place in the context of the activities of an establishment or organization in the EU, regardless of whether the processing itself takes place in the EU.
  • If the personal data of individuals who are in the EU is processed by an organization not established in the EU and the processing concerns the offering of goods or services to individuals in the EU, or  monitoring the behavior of individuals that takes place in the EU.

In November 2018, the European Data Protection Board (the “EDPB”) issued guidelines on the territorial scope of General Data Protection Regulation. According to the EDPB, this new scope represents a significant evolution of the EU data protection law compared to the framework defined by the old Directive.

For example, if your company is not caught under the establishment principle of 3.1 GDPR it still mighty fall within the extraterritorial reach of 3.2 GDPR. Therefore your company will have to appoint a representative in the EU.

In practice, the function of representative in the Union can be exercised based on a service contract concluded with an individual or an organisation. It can therefore be assumed by a wide range of
commercial and non-commercial entities, such as law firms and consultancies. Such entities however need to be established in the European Union. A representative can also act on behalf of several non-EU controllers and processors.

It is interesting to note that the representative is different from the data protection officer. The first should have a written mandate to represent the company. The second should be in a position to perform their duties and tasks in an independent manner.

Representative or DPO? We serve as the data protection officer for various of our clients. And we are also the representative for another set of clients. Please contact us if you would like information on the various possibilities we offer.

The Data Protection Officer (“DPO”). Do you need one?

The Data Protection Officer (“DPO”). Do you need one?

Article 37 of the General Data Protection Regulation entails:

If your company processes special (i.e. health data, religious data, racial data, criminal offences, etc) categories of information on a large scale you must appoint one and communicate the details of that Officer to the authorities. Article 37 of the General Regulation of Data Protection lays down under what conditions exactly you need to appoint a DPO.

You may appoint an external data protection officer. That data protection officer can work on the basis of a free lance contract. If you would like the discuss the possibility of us becoming your DPO, do contact us. We are the DPO´s for healthcare  and insurance companies and as such have experience in the protection of special categories of sensitive data.

Non EU companies should appoint a DPO in Europe

Non EU companies should appoint a DPO in Europe

The new General Data Protection Regulation (“GDPR”) that will come into force in May 2018 requires companies that the accessibility of the Data Protection Officer (“DPO”) should be effective for Data Subjects and other players. To ensure that the DPO is accessible, the Working Party 29 (the cluster of European data protection authorities) recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union. However, it cannot be excluded that, in some situations where the controller or the processor has no establishment within the European Union 25, a DPO may be able to carry out his or her activities more effectively if located outside the EU.  You may appoint an external company to be your Data Protection Officer. We can become your DPO and/ or help you find one.

Contact us if you would like us to review your data protection policy and make it compliant with the GDPR. We have vast experience in data protection matters. And when it comes to American companies we have more than 15 years of experience in helping them establishing in Europe.