Home » Are your Data Processors fit to be EU Representative under Article 27 GDPR ?

Appoint your data processor as EU Representative and tick off article 27 GDPR?

The Croatia Personal Data Protection Agency(“AZOP”) says no.

Data processors, just like Data Protection Officers (DPOs), cannot be EU Representatives simultaneously because of conflicts of interests.

Read more to find out why AZOP has decided that two roles are incompatible to be performed by the same entity/person.

1. WHY DID AZOP DECIDE THAT DATA PROCESSORS CANNOT BE EU REPRESENTATIVES?

AZOP, on 19 January 2022, provided its opinion on whether a data controller can appoint its data processor as its EU Representative under article 27 GDPR.

AZOP began its analysis by explaining the respective roles and duties of data processors and EU Representatives as defined under the GDPR. AZOP noted that an EU Representative acts as the main point of contact for both supervisory authorities and the data subjects related to the controller’s compliance obligations and enforcement actions.

AZOP emphasised that the representative referred to in article 27 GDPR shall carry out his/her duties in an honest, impartial and conscientious manner and should preserve his/her credibility when it communicates with data subjects and cooperates with supervisory authorities.

AZOP then went on to describe a data processor’s duties and noted that the data processor serves as an extended arm of the controller and performs tasks as stipulated in its contract with the data controller.

AZOP then compared the two roles and ruled that data processors cannot be appointed as EU representatives because conflicts of interests would arise in the following circumstances:

• The representative should communicate effectively with the data subjects and cooperate with the supervisory authorities. It should also act reliably and impartially. However, the data processor is directly involved in the actual processing activities itself and has contractual obligations against the controller.

Therefore, there is a real risk it will not effectively communicate with data subjects and will not fully cooperate with supervisory authorities related to enforcement actions; its communications and cooperation will likely be unreliable and not impartial. Put simply, the data processor can prioritise its contractual obligations as processor over its representative duties. This creates a conflict of interests.

• Conflicts of interests can also arise when determining the liability of the processor because on one hand, it can be held liable as the data processor and on the other hand, it may also be responsible as the representative.

2. WHY IS THIS IMPORTANT?

A. It clarifies that the data processor role is not compatible with the EU representative role

As the only provision within the GDPR that exclusively applies to organisations located outside the EU, article 27 GDPR is a confusing provision for many when it comes to the role of EU Representative and its difference with DPOs and other service providers.

This is because there had not been any decision or guidance by supervisory authorities that directly addressed this issue in detail before.

AZOP’s opinion clarifies the confusion. The data processor and the EU Representative cannot be the same entity or person due to conflict of interests. As mentioned above, the representative must communicate and cooperate with data subjects and with supervisory authorities in an honest, impartial and reliable manner and the processor is not suitable to adhere to these principles because it is directly involved in processing of data under the controller’s instructions.

AZOP’s opinion also aligns with the EDPB’s Guidelines on the conflict between the processor and the EU Representative.

In its Guidelines numbered 3/2018, the EDPB noted that the data processor role and the EU Representative role would be incompatible due to conflict of interests:

[…] Similarly, given the possible conflict of obligation and interests in cases of enforcement proceedings, the EDPB does not consider the function of a data controller representative in the Union as compatible with the role of data processor for that same data controller, in particular when it comes to compliance with their respective responsibilities and compliance.”

B. It sets out that additional controls and/or protocols will not be effective to make the two roles compatible

In its opinion, AZOP contemplates if the controller can implement additional measures and controls on the processor to guarantee its impartiality, honesty and reliability.

For example, can the controller put in place policies and impose contractual obligations on the processor to guarantee that it will act impartially and honestly when it serves as the EU Representative?

AZOP decided that such controls and processes would be unenforceable and impractical, so such additional controls are not sufficient to make the two roles compatible.

3. CAN YOUR DPO ALSO BE YOUR EU REPRESENTATIVE?

The appointment of an EU representative is often called the “forgotten obligation” because most organisations do not think of it as a separate obligation fromappointing a DPO and use the two terms interchangeably.

Similar to the incompatibility between data processors and EU Representatives, data protection officer (DPO) and EU Representative roles are two distinct roles with widely different duties and thus, they cannot be carried out by the same person / entity.

First of all, while the DPO monitors the overall compliance of the organisation with the GDPR and must act with autonomy and independence in discharging his/her tasks, the EU Representative takes a more reactionary role and acts only on behalf of the controller and under its instructions when it deals with data subjects or supervisory authorities.

Therefore, conflicts of interests are likely to arise when the same person is appointed as both the EU Representative and the DPO.

The Irish Office of the Data Protection Commissioner describes a few scenarios where this conflict would arise.

For instance, when a DPO receives a data subject request, it is responsible to take a proactive role to ensure the organisation handles the request in compliance with the GDPR and cannot receive instructions from its organisation. The EU Representative, on the contrary, can only act as instructed by the organisation.

Enforcement proceedings against the data controller/processor would also lead to conflicts of interests. While the DPO must act independently during the enforcement actions against the controller and is not personally liable for the organisation’s actions, the EU Representative can be held severally and jointly liable with the organisation in some jurisdictions such as Spain and can be subject to enforcement action itself.

KEY TAKEAWAYS

• You cannot appoint one of your data processors or other service providers as your EU Representative due to conflict of interests. The controller could not impose contractual obligations on the Representative and could not enforce controls and processes the same way it could with a data processor.
• You cannot appoint your DPO as your EU Representative due to conflict of interests too. The DPO has to remain independent in their tasks and in potential enforcement proceedings. The Representative has to act under the instructions of the controller and could even be subject to enforcement proceedings with the organisation in certain countries.
• The EDPB confirmed this in their guidelines: organisations should appoint an EU Representative that is different from DPOs, processors and any other service provider.
• Although the EU Representative will only act in accordance with the data controller’s instructions, he/she must act impartially, honestly and reliably when he/she communicates and cooperates with data subjects and supervisory authorities.