Summary:

With the entry into force of the GDPR, it has become mandatory for entities established in third countries which process personal data of European citizens to appoint a representative in the European Union. The present article analyses the situations in which such designation is mandatory and the prerogatives of this representative.

 

Keywords: GDPR; European Union; Article 27.º; Data Controller Representative; Representative of the Data Controller Officer; Personal Data.

 

I. Introduction

Data protection aims to provide citizens, as data subjects / holders of personal data, with autonomy of decision regarding their own personal data. Portugal was a pioneer in the recognition of the protection of personal data as a fundamental right, providing for it in the Constitution of 1976.

In fact, such right is supported by the right to privacy (Article 26, no. 1 of the Constitution of the Portuguese Republic, hereinafter “CRP”) and the right to access to all computerised data (Article 35 of the CRP).

On 7th January 1994, the Data Protection National Authority (“CNPD”) started operating (at the time with another name) and in1998 benefit from the transposition of Directive 95/46/CE into Portuguese law, by the Law no. 67/98 of 26th October.

More recently, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “General Data Protection Regulation” or ” GDPR”) has significantly changed the dynamics of data protection, seeking a significant reinforce of citizens’ rights.

Although it is a Regulation, with direct application in the legal system of the countries of the European Union, this legislation benefited from a transition period of 2 years until its full implementation. Thus, the GDPR had direct application from 25 May 2018 in all EU Member States.

However, although it only applies to entities in the Union, the GDPR may apply to entities established in third countries, when the processing of personal data may involve European citizens. In such cases, there may be a need to nominate a representative in the Union, under Article 27 of the GDPR. We will now see in which situations this will be mandatory.

 

II. Scope of the GDPR

GDPR applies to companies that process personal data and:

• Are established in the European Union, regardless of where the data processing is carried out;
• Are based outside the EU, but the processing is related to the offering of goods or services to persons in the EU or is about monitoring the behaviour of EU citizens.

These criteria should be assessed at the time when the activity is susceptible to triggering the application of the GDPR, i.e., when offering goods or services or when the behaviour is being monitored.

The European Data Protection Committee (CEPD) considers that, as regards processing activities related to the provision of services, the GDPR only applies to activities which intentionally, and not inadvertently or accidentally, are directed at individuals located in the EU.

Consequently, if the processing concerns a service that is offered only to individuals located outside the EU but is not cancelled when such individuals enter the EU, the data processing will not be subject to the GDPR.

 

III. Obligation to appoint a representative

Companies based in a third country but obtaining personal data from EU citizens must nominate, in writing, a representative which must be present in at least one EU Member State. This representative may be a company or a person under Article 4, no. 17 of the GDPR.

On the other hand, entities that are established outside the EU do not have to establish a representative in the EU when they:

• Carry out occasional processing operations, not covering the processing, of special categories of data on a large scale or the processing of personal data relating to criminal convictions and offences which do not present a risk to the rights and freedoms of natural persons, considering the nature, context, scope and purposes of the processing;
• Are authorities or public entities.

The scope of this regulation is to ensure an adequate level of data protection and to provide a point of contact for European citizens holding data subject to processing outside the European Union, while ensuring legal responsibility for data processing activities.

The representative shall act on behalf of the controller or processor and shall replace them in communications made by supervisory authorities such as the CNPD, in Portugal, and by data subjects regarding issues related to processing.

When communications with the national authority involve deadlines, the authority must consider that the representative will have to send the notification to the responsible party/subcontractor that is in a third country, adapting this deadline.

However, the appointment of a representative does not prevent legal actions from being brought directly against the represented responsible party or subcontractor (art. 27, no. 5 of the GDPR).

On the contrary, the obligation expressed in Art. 27 of the GDPR gives effect to Recital (80) of the GDPR, which clarifies that the designation of the representative does not affect the responsibilities incumbent on the controller and the processor.

Otherwise, “it would be prejudiced against its eminently executive function with the guarantee of ensuring the link between the processing controller or subcontractor and the competent supervisory authority.”

On this issue, the Austrian Data Protection Authority has already ruled directly for a US company instead of its representative in the Netherlands. According to the authority, “since the appointment of a representative in accordance with the text of the regulation expressed in accordance with art. 27, no. 5 GDPR does not entail any transfer of responsibility,” the decision of the data protection authority was directed against the controller.

The representative of companies and/or organisations with more than 250 employees will also be responsible, as set out in Article 30 of the GDPR. This should include information on the controller/subcontractor located in a third country, the purposes of the processing, the categories of data subjects and the categories of personal data subject to processing, the categories of recipients of the personal data, and, where applicable, the transfers of personal data to third countries or international organisations and, if possible, a time limit for the deletion of the data as well as a description of the security measures used.

Representatives of companies with less than 250 employees are also obliged to comply with the above obligation if one of the following situations arises:

• The processing carried out is likely to result in a risk to the rights and freedoms of the data subject;
• The processing of the data is not occasional;
• The processing covers the following special categories of personal data: data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data; biometric data for the purpose of uniquely identifying a person; data concerning health or data concerning a person’s sex life or sexual orientation; data relating to criminal convictions and offences.

IV. The Representative and the Data Protection Officer

When analysing the functions of the representative of the processor or controller as established in the GDPR, confusion may arise with the figure of the Data Protection Officer (DPO), however the two legal definitions are different.

First, a DPO should always be appointed whenever the data controllers are public authorities or entities, with the exception of courts; or their main activities consist of processing operations on a large scale, special categories of data or personal data relating to criminal convictions and offences.

Secondly, their job is different. The representative, as mentioned above, has the task of managing communications with third parties within the EU, and therefore performs the task of an intermediary. In addition, it should also cooperate with the supervisory authorities in relation to any action that may be necessary to ensure compliance with the GDPR.

 

Whereas the responsibilities of the DPO can be some of the following:

• Promote training of the data processing department regarding compliance and responsibilities under the GDPR;
• Ensure compliance with privacy and data protection policies by conducting audits;
• Monitor compliance of processing in accordance with the GDPR;
• Control and monitor the preparation of Data Protection Impact Assessments (DPIAs);
• Maintain updated records of data processing activity;
• Control the fulfilment of contracts with the subcontractor;
• Clarifying data subjects on issues related to data processing;
• Cooperate with the supervisory authorities.

Furthermore, the DPO must carry out his tasks with full autonomy and independence from the officer in charge (Art. 38, no. 3 of GDPR and Recital (97)). Thus, no instructions can be given to the DPO on how to perform his duties, nor can he be dismissed or even penalised if he performs his duties correctly.

This being said, it can be concluded that the DPO represents a more critical figure in relation to the activity carried out by the data controller than the representative, who presents himself as a point of contact with the external relations of the controller or processor.

V. Nature of the Representational Relationship

It is considered that the relationship between the controller/subcontractor and the representative shall be like a mandate (Art. 1157 and 1178, no. 2 of the Civil Code (CCiv)), since the controller shall act on behalf and in the name of the principal, the controller or the processor.

Portuguese law distinguishes between a mandate with representation and a mandate without representation. In contrast to a mandate with representation, a mandate without representation is defined as a mandate in situations in which the mandator acts in his/her own name, acquiring the rights and assuming the obligations arising from the acts he/she performs, after which the mandator is required to transfer the rights acquired in execution of the mandate to the principal.

In the Portuguese legal system, the mandate with representation is a contract governed by Articles 1178 and following of the CCiv, by which someone, the mandator, commits to perform one or more legal acts on behalf of another, the principal.

In this case, the act performed by the representative produces its effects in the legal sphere of the controller/subcontractor. Therefore, as regards the communications made by the representative to the data subjects, these must be considered as having been made by the controller.

During the mandate, the representative shall perform the acts included in the mandate, following the instructions of the principal, which may be given at the time the mandate is established or during the execution of the contract. Similarly, it is understood to be necessary for the representative to provide the principal, the officer/subcontractor, with any information concerning the management of his/her position that is requested of him/her. In general, the controller must be always aware of the representative’s activity.

According to art. 1158 of the CCiv, the mandate is presumed to be free of charge, except if it concerns the practice of acts in the scope of a profession, in which case it is presumed to be onerous. In these terms, the mandate carried out by a lawyer or solicitor is onerous.

The remuneration is fixed by agreement between the parties, obeying the limits imposed by art. 282 of the CCiv.

If the representation is exercised by lawyers, the special rules on the fixing of fees imposed by the Statutes of the Bar Association should be considered, and the General Council of the Bar Association should give its opinion on fees when so requested (cf. art. 44, no. 3 e)).

According to article 105 of the EOA, the lawyer’s fees should match an adequate economic compensation for the services effectively rendered, which may take the form of a fixed retribution. Pursuant to paragraph 3 of the same article, “in setting the fees, lawyers should take into consideration the importance of the services rendered, the difficulty and urgency of the matter, the degree of intellectual creativity of their services, the result obtained, the time spent, the responsibilities assumed by them and other professional usages”.

However, if the mandate is free of charge, it shall not affect the right to reimbursement of expenses or compensation for losses incurred by the mandated party in the exercise of the mandate.

As a rule, the mandate is freely revocable by either party, unless it was granted in the interest of the mandatary or of a third party, which implies that, unless there is just cause, the revocation must have the agreement of the interested party (cf. art. 1170 of CCiv).

Except in cases where it is granted in the interest of the agent or of a third party, the mandate contract configures one of the exceptions of free revocability. This is an imperative rule, and no agreement to the contrary is permitted, nor any revocation right may be renounced. Thus, the revocation party does not need to justify its claim.

On the other hand, the mandate ends:

• By death or interdiction of the principal;
• By inability of the principal, if the mandate has as its object acts that cannot be performed without the intervention of a curator (cf. art. 1174 of CCiv).

 

 

 

.