info@edpo.com
Frequently Asked Questions
Frequently Asked Questions
Do you have any questions on GDPR or EDPO’s services? We’re here to help.
The GDPR and other data protection regulations
What is the GDPR?
The General Data Protection Regulation (GDPR) is a landmark EU privacy regulation that applies since 25 May 2018. Given that it’s a Regulation, it’s directly applicable in all of the EU Member States without the need to implement it in national legislation.
The GDPR is being called the world’s strictest data privacy law. It aims to expand and unify the data protection rights of individuals in the EU and it has unprecedented extraterritorial reach.
What is personal data?
Personal data under the GDPR has a very broad interpretation and includes any information that relates to an identified or identifiable natural person: name, pictures, addresses, phone numbers, e-mail addresses, IP addresses (even dynamic), identification numbers, location data, age, origins, pseudo, etc.
What is sensitive data?
Sensitive data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.
What are the sanctions for non-compliance with the GDPR?
Infringements to the GDPR (even for non-EU companies) may lead to fines of up to the greater of €20 million or 4% of worldwide turnover, without prejudice to individual and collective claims for damages that can be brought before the courts. The data protection authorities also have the power to impose temporary or indefinite bans on processing and to suspend data flows to recipients in third countries.
Pursuant to GDPR Art. 83 (4) (a), the sanctions for not appointing an EU Representative can go up to €10 million or 2% of total worldwide annual turnover, whichever is higher.
Click here if you want to learn more about GDPR fines and sanctions.
What is the UK GDPR?
The UK GDPR is the data protection regulation that applies in the United Kingdom since Brexit (1st January 2021). The UK implemented the EU GDPR into their Data Protection Act 2018. The rights, principles and obligations mostly stay the same as the GDPR, for now.
What is the Swiss Data Protection Law?
Switzerland recently published their new Data Protection Law which will enter into force on 1st September 2023. Some of the obligations, rights and principles are inspired by the GDPR. For example, non-Swiss companies will have to appoint a Data Protection Representative in Switzerland just like non-EU companies have to appoint a GDPR Representative in the EU pursuant to the GDPR.
The obligation to appoint a Data Protection Representative
(Article 27 of the EU & UK GDPR)
When do you need to appoint a Data Protection Representative?
You may need to appoint a Data Protection Representative in the EU if:
- You are based outside the EU/EEA and don’t have an establishment there
- You offer goods or services to individuals in the EU (for payment or for free and/or you monitor their behavior (such as tracking, profiling, etc.)
EDPO can act as your EU Data Protection Representative! Contact Us for a free quote.
You may need to appoint a Data Protection Representative in the UK if:
- You are based outside the UK and don’t have an establishment there
- You offer goods or services to individuals in the UK (for payment or for free) and/or you monitor their behavior (such as tracking or profiling)
EDPO’s sister company EDPO UK LTD can act as your UK Data Protection Representative! Contact Us for a free quote.
Are there any exceptions to the application of Art. 27?
Article 27 of the GDPR does not apply to non-EU companies if they are a public authority or body or if the following cumulative conditions are met:
(i) the company only occasionally processes the personal data of persons in the EU and
(ii) the processing does not include the processing on a large scale of special categories of personal data or the processing of personal data relating to criminal convictions and offenses and
(iii) the nature, context, scope and purpose of the processing is unlikely to result in a risk to the rights and freedoms.
The same applies to non-UK companies pursuant to the UK GDPR.
Where does the Data Protection Representative have to be located ?
Your EU GDPR representative must be located in a (single) country in the EU where the individuals whose data are being processed are located. If your company generally targets the entire EU, then it can choose the country where it wants to base its representative. As Brussels is the capital of the EU, it is a preferred location for non-EU companies to designate their GDPR representatives.
Your UK GDPR Representative must be located in the UK.
How do I designate a Data Protection Representative?
The Data Protection Representative must be designated in writing. A proper written contract must therefore be in place to provide a clear mandate and specific instructions.
Designate EDPO or EDPO UK and get the EDPO compliance certificate.
If my country has an Adequacy decision for data transfers with EU, does it release my company from the obligation to appoint a Representative?
No. The Adequacy decisions issued by the EU Commission only concern data transfers from the EU to that third country. If your country benefits from an Adequacy decision, that means that you can safely transfer personal data from the EU to your country without additional safeguards. But you still need to appoint a Representative to help you handle requests from individuals and authorities in the EU.
Does designating a Data Protection Representative release the non-EU or non-UK companies from liability and responsability?
NO. The GDPR and UK GDPR clearly state that the designation of a Data Protection Representative does not affect the responsibility and liability of the non-EU and non-UK companies that fall within the scope of the GDPR and UK GDPR. The designation is without prejudice to legal actions which could be initiated against the non-EU and non-UK companies.
Can I appoint EDPO as Data Protection Representative?
Yes!
EDPO is a privately-held Belgian limited liability company located in Brussels, the European capital, and we have representation offices in many EU countries. Our only activity is to act as (GDPR Article 27) EU representative for non-EU companies that fall within the scope of the GDPR, so we are focused on providing top-notch representation services.
Find out more about the EU Representative here!
Our sister company, EDPO UK Ltd, is located in London and acts as a (UK GDPR Article 27) UK Representative for non-UK companies that fall within the scope of the UK GDPR.
Find out more about the UK Representative here!
Check the section ‘How to appoint us’ below for more information!
What is considered to be processing “on a large scale"?
The GDPR and UK GDPR do not define what constitutes “large scale” processing but guidelines recommend that the following factors be considered when determining whether the processing is carried out on a large scale:
- The number of individuals concerned – either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing include:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
- processing of patient data by an individual doctor
- processing of personal data relating to criminal convictions and offences by an individual lawyer
The Swiss Authority defines large scale: “The term "large-scale" refers to cases where data is not simply processed in an isolated way. For example, a medical practice or hospital might process patient data. On the other hand, the isolated processing of the data of an employee who is absent due to illness by a company does not constitute large-scale processing. Large-scale processing occurs in particular when the processing of sensitive data constitutes the essential part of the activities of the person or body in question.”)
What is sensitive data ?
Sensitive data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.
What is personal (regular) data?
Personal data under the GDPR has a very broad interpretation and includes any information that relates to an identified or identifiable natural person: name, pictures, addresses, phone numbers, e-mail addresses, IP addresses (even dynamic), identification numbers, location data, age, origins, pseudo, etc.
How can a non-EU company assess whether processing is “unlikely to result in a risk to the rights and freedoms of individuals”?
The GDPR does not define the notion of “risk to the rights and freedoms of individuals” but the recitals include examples of the types of risks which should be considered:
- physical, material or non-material damage, in particular where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.
- where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data
- where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures
- where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles
- where personal data of vulnerable natural persons, in particular of children, are processed
- where processing involves a large amount of personal data and affects a large number of data subjects.
Examples of regular processing include payroll, accounting, customer data management, e-mail loggings, school grades, etc.
What does it mean to “occasionally process” the personal data of persons?
The terms “occasionally process” are not defined in the GDPR or the UK GDPR but the most recent guidelines state that a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor. Examples of “regular” processing include payroll, accounting, customer data management, e-mail loggings, school grades, etc.
Public authority or body:
The GDPR and UK GDPR do not define what constitutes a “public authority or body” but the interpretation guidelines consider that such a notion is to be determined under national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by public law.
Occasionally process
The terms “occasionally process” are not defined in the GDPR or the UK GDPR but the most recent guidelines state that a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor. Examples of “regular” processing include payroll, accounting, customer data management, e-mail loggings, school grades, etc.
Large scale
The GDPR and UK GDPR do not define what constitutes “large scale” processing but guidelines recommend that the following factors be considered when determining whether the processing is carried out on a large scale:
- 5• The number of individuals concerned – either as a specific number or as a proportion of the relevant population
- 5• The volume of data and/or the range of different data items being processed
- 5• The duration, or permanence, of the data processing activity
- 5• The geographical extent of the processing activity
- 5• The number of individuals concerned – either as a specific number or as a proportion of the relevant population
- 5• processing of patient data in the regular course of business by a hospital
- 5• processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- 5• processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- 5• processing of customer data in the regular course of business by an insurance company or a bank
- 5• processing of personal data for behavioural advertising by a search engine
- 5• processing of data (content, traffic, location) by telephone or internet service providers
- 5• processing of patient data by an individual doctor
- 5• processing of personal data relating to criminal convictions and offences by an individual lawyer
- &• physical, material or non-material damage, in particular where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage
- &• where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data
- &• where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures
- &• where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles
- &• where personal data of vulnerable natural persons, in particular of children, are processed
- &• where processing involves a large amount of personal data and affects a large number of data subjects.
The Role Of the Representative
How does the Representative assist companies ?
The main task of the Data Protection Representative in the EU and in the UK is to act as a point of contact for the data protection authorities and individuals in the EU and in the UK whose personal data is being processed by the non-EU and non-UK companies.
The Data Protection Representative also has to maintain records of the processing activities of their clients.
The representative acts on behalf of the non-EU and non-UK companies, performing its tasks according to the mandate received from them, including cooperating with the data protection authorities with regard to any action taken to ensure compliance with the GDPR and UK GDPR.
What are data subject access requests (“DSARs”) and how does the Data Protection Representative handle them?
DSARs are rights that are given by the GDPR and the UK GDPR to data subjects to request access to all personal information that an organization holds on them.
As your Data Protection Representative, EDPO handles an unlimited number of DSARs across the entire EU/EEA and in the UK. We also perform identity checks (if instructed to do so), forward the requests to our clients with free English translation if needed, answer our clients’ questions as to best practices on how to respond, and reply to the data subjects on their behalf. We aren’t just a mailbox or message forwarding service.
What is the delay to respond to information requests ?
Requests for information from individuals in the EU and/or in the UK must be replied to within one month. Extensions of an additional 2 months are possible depending on the complexity and the number of requests.
What happens if I experience a data breach?
A data breach isn’t fun, but it can sometimes happen. Given that every data protection authority (DPA) has different requirements for data breach notifications (including filing in the country’s official language), the entire process can be very challenging – especially given the tight 72-hour deadline to notify a data breach to the DPAs. EDPO uses a unique data breach notification platform that consolidates all of the questions of all of the data breach notification forms in the entire EU/EA in English and then translates the answers back into the original language of the respective national EU/EEA countries. We can therefore give you a huge head start in your data breach notification filings by reducing the time and resources – and stress! – required to complete your data breach notifications.
In addition, our contract with you will not automatically terminate in the event that you experience a data breach. We support you all the time and all the way.
How must information be communicated to individuals ?
Information must be provided in a concise, transparent, intelligible and easily accessible form. Particular attention must be given to information which is addressed to children. The information must be provided in writing or by electronic means and it can also be provided orally if the identity of the person making the request is proven.
What’s a record of processing activities and what does the Data Protection Representative do with it?
Your Data Protection Representative has a legal obligation to hold a copy of your Article 30 record of processing activities: i.e. all relevant and up-to-date information regarding the EU and/or UK personal data that you process.
Your Article 30 record of processing activities is kept by EDPO on a highly secure platform that is hosted in a data center that has the highest security levels in Europe, guaranteed via international standards and certifications. EDPO can also provide you with referrals of templates and/or experts who can help you set one up.
For more information, watch our video on how to set up a Record of processing activities!
How to Appoint EDPO?
How do I get in touch?
There are three ways to get in touch with us:
- You want to discuss the obligation to appoint a Representative and you’re not yet sure how it applies to your company? Use our assessment test, it will help you assess whether or not you need a representative. There is an option to have us contact you at the end of the test.
- You already know that the obligation applies to you and you would like to receive a tailored fee quote? Use our registration form and provide the requested information about your company. This will help us determine the fee quote. We will send you a tailored fee quote and will schedule a short call to discuss practicalities.
- You don’t want to fill our forms and want to book a call to discuss our services face to face? Use our ‘Book a call’ button at the bottom of the page. Select a timeslot that suits you and provide your email address. Looking forward to meeting you!
How much does it cost?
Our Data Protection Representative fees are based on the size of your company (in terms of number of employees), the type of data (regular data and/or sensitive data) that your company processes, whether or not your company’s processing operations require regular and systematic monitoring of individuals in the EU and whether your company processes personal data on a large scale. All packages can be tailored to your company’s specific needs.
What if EDPO isn't located in the EU country where I need to appoint a Representative?
No worries. Contact us: we have the solution.
We already have offices in several EU countries (check our office page to see them all). If we don’t have an office in the country where you need to appoint your Representative, we’re happy to open a new location for you. This comes at no extra cost for your company and can be done in 72 hours!
Does EDPO provide any other GDPR services?
No. EDPO is focused on providing Data Protection Representative services in several jurisdictions. We are not a law firm and we don’t provide legal advice. There are no conflicts of interests with other GDPR roles (such as the DPO or privacy lawyer)
