1. What is the GDPR and UK GDPR exactly?

The General Data Protection Regulation (GDPR) is the EU's data privacy and security laws. Its intent is to protect the personal data of EU citizens everywhere around the world. The GDPR is very complex in itself, however a thorough summary supported by the EU can be found here. You have to be aware that every EU member state has their own data privacy regulation, adding additional legislation to the GDPR. This constitutes sometimes in different obligations for your company per EU member state.

Even though the UK departed from the EU, the regulations of GDPR still apply only in a different legislation. The UK adopted their own equivalent of the GDPR, the UK GDPR. This is the Data Protection Act (2018), amended post-Brexit by the Data Protection, Privacy and Electronic Communications (EU-Exit) Regulations 2019. This legislation has the same regulations as the GDPR including the obligation to appoint a representative in the UK.

2. I already have a Data Protection Officer (DPO). Why do I need to have a Data Protection Representative (DPR)?

According to Article 27 of the GDPR and UK GDPR every non-EU or non-UK company without an EU establishment (or UK establishment in case of the UK GDPR) is required to have a DPR. The obligations of a DPO differ from that of the DPR. Whereas a DPO has to perform his or her duties independently, a DPR can only act under the explicit instructions of your company. Also, a DPO oversees the strategy and compliance of the GDPR in your company and trains your employees. A DPR acts as the local point of contact for your EU customers and supervisory authorities.

3. Why can't the DPO fulfil the rol of the DPR?

The European Data Protection Board has shed light into this matter in Guidelines November 2018 version 2. In short, being a DPO and a DPR at the same time can result in a conflict of interest. Therefore both roles need to be fulfilled seperately.

4. What will happen if I don't have a DPR?

If you don't have a DPR it is possible you can be fined by a data protection authority. The GDPR and UK GDPR are designed to make non-compliance a costly mistake. There are two tiers of fines:

Less severe infringements could result in a fine leading up to €10 million or 2% of the worldwide revenue.

Severe infringements could result in a fine leading up to €20 million or 4% of the worldwide revenue.

Not having a DPR is seen, according to Article 83 of the GDPR and UK GDPR as a less severe infringment.

5. How can the EU or UK sanction my non-EU or non-UK company for millions for non compliance?

The protection of data privacy stretches out to anywhere around the world according to the GDPR and UK GDPR. Court rulings have already acknowledged this and several non-EU companies have been fined up to millions. Time and again the Court of Justice of the European Union has ruled that the rights of the individual is prevalent to that of the organisation holding or processing personal data.

It is likely that the GDPR becomes standard worldwide because companies want to have access to the EU market. Therefore we see countries adopting their own privacy laws similar to the GDPR, including the obligation of having a Representative in that country.

6. Any individual in the EU can be my DPR, why do I need Sensorium to be my DPR?

It is true any natural of legal person can be your DPR according to Article 80 of the GDPR and UK GDPR. However being a DPR can be a risky job, as a DPR can also be held liable for non compliance by your company. Because of this potential of enforcement proceedings against the DPR and your company it is best to have a firm with expert working knowledge as your DPR. Also, a DPR has to be able to communicate in any of the 24 languages of the EU, because they can receive communications from virtually any EU supervisory authority and EU citizens from whom you hold or process personal data. Therefore it is in your own best interest to have the expertise of Sensorium by your side as your DPR.

7 Why can't I have a DPR in Eastern Europe to represent my company in Western Europe?

The European Data Protection Board clarified this in this Guideline. A DPR must be located in the EU member state with data subjects of whom your company has the personal data from. Data subjects in other EU member states and the UK must have easy access to the DPR.