Data Protection Representative
Easily appoint your DPR in the EU or UK
The Data Protection Representative (DPR) in the GDPR
Often, GDPR obligations apply to non-EU Companies. In particular, they apply to companies which:
- Offer goods or services (even for free) to data subjects in the EU
- Monitor data subjects’ behavior while they are in the EU
According to Article 27 of the GDPR, whenever these companies do not have a European establishment, they must designate a Data Protection Representative (DPR) in the EU.
Data Protection Representative duties
A Data Protection Representative in the EU acts as your company’s local point of contact for Data Subjects and Data Protection Authorities (DPAs). It establishes a trustworthy and compliant relationship between your company and the European data protection regulations and supervisory authorities. In particular, a DPR will assist a non-EU company by:
- Cooperating with Supervisory Authorities (such as transmitting a Data Breach assessment and/or notification conducted by the Data Controller to the competent DPA)
- Receiving inquiries from Data Subjects
- Maintaining the Record of Processing Activities (RoPA)
Not appointing a representative may cause serious liability for the data controller as it would be in breach of its obligation under the GDPR. This may result in serious fines. In 2021, the Dutch DPA imposed a fine of 525,000 euros to a Canadian company for not appointing a DPR.
Should you hire a DPR or a DPO?
A DPR is not a Data Protection Officer (DPO). A DPR is a local point of contact and it acts as a liaison for communication, while a DPO monitors GDPR Compliance within the organization. In other words, a DPO has active informative and advisory functions, while a DPR acts more like a local mailbox and/or mailperson. If you are also looking for GDPR Compliance services that exceed those offered by a DPR then it is advisable to consider our DPO-as-a-Service solution.
“We assist our DPR Clients with all the communications with Data Subjects and Data Protection Authorities.”
Michael van Staveren – Partner at DPO Consultancy | Privacy & Data Protection Consultant
DPR for Seno Medical | DPO-as-a-Service at SVB
LL.M | CIPP/E | CIPM | FIP
Some practical DPR Examples
Here is a non-exhaustive list of examples of companies without an establishment in the EU that need a DPR in the EU:
- A US sponsor that conducts clinical trials in Europe, and monitors EU residents participating in clinical trials
- A US company that sells products or offers goods or services to data subjects located in the EU
- A Canadian online platform that allows users to seek out for free the contact information of family members, former classmates, or friends with whom they have lost touch because the company offers free services to data subjects in the EU
Data Protection Representative the UK?
After Brexit, the UK GDPR provides for the equivalent of what it used to be the EU Representative. Similarly to the GDPR, in fact, the UK GDPR states that if you process personal data of UK Data Subjects you must have a DPR. However, the UK DPR can be established outside the UK. UK DPR duties are:
- Cooperating with the Information Commissioner’s Office (ICO), the UK Data Protection Authority
- Receiving inquiries from Data Subjects in the UK
- Maintaining the Record of Processing Activities (RoPA)
How to appoint a DPR
Your DPR must be appointed in writing. An informal letter will suffice. We can fill the role of DPR for your organization, whatever your sector is, for the EU and the UK. If you are interested or need more information, please feel free to fill out the form below or send us an email at info@dpoconsultancy.nl.