1 / 4

EU GDPR Representative Checklist

US companies who are data controllers or data processors when processing personal data of customers residing in the EU are now required to take the appropriate steps to become GDPR compliant. The GDPR regulation stipulates that certain data controllers or data processors must appoint an EU GDPR Representative that is based in an EU member state. This checklist document was created to provide guidance on the most important considerations when it comes to appointing a GDPR Representative based in an EU Member state for your business. Visit: https://www.compliancejunction.com/<br>

Download Presentation

EU GDPR Representative Checklist

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EU GDPR Representative Checklist The Dirty Dozen: 12 Questions You Must Answer US companies who are data controllers or data processors when processing personal data of customers residing in the EU are now required to take the appropriate steps to become GDPR compliant. The GDPR regulation stipulates that certain data controllers or data processors must appoint an EU GDPR Representative that is based in an EU member state. This checklist document was created to provide guidance on the most important considerations when it comes to appointing a GDPR Representative based in an EU Member state for your business. Have you received the appropriate legal advice on whether your company is legally required to appoint an EU GDPR representative? Only in cases where the processing of EU customer personal data is ‘occasional’, is at a small scale and does not involve sensitive or special category data will companies be exempt from appointing an EU GDPR Representative. Regardless of whether your company appoints an EU representative or not, the process of assessing the requirements and making the decision of appointing a representative or not must be properly documented. The requirement for appointing such a GDPR representative is for companies who do not have an establishment in the EU but are processing personal data of customers in the EU (the monitoring of EU data subject’s behavior is also processing). Legal advice is key here as whether a company has an establishment in the EU can be complex. The designation of the representative must be in writing. Is there an understanding in your senior team about the levels of fines that could be applied to your business if an EU GDPR representative is not appointed? The GDPR regulation brings an increased ability for regulators to fine data controllers for breaches of the regulation. A failure to appoint a representative in an EU member state where one is required would be a breach of the GDPR regulation. (C) Copyright 2019 ComplianceJunction. All Rights Reserved. 1

  2. Do you understand the various tasks that an EU GDPR representative must provide? At a high level, the EU GDPR Representative acts as the contact point for data protection authorities in the EU member states. The representative acts as a contact point for EU regulators and can be reached without difficulty or any international legal barriers. The representative also may act as the contact point for all your company’s “data subjects” - i.e. all your EU customers and would forward such enquiries to the data controller or processor. The EU representative is also the person who will maintain GDPR records and receive GDPR legal correspondence on behalf of your company. Have you established whether your company is a Data Controller or Data Processor under the new EU GDPR regulation? Data Controllers determine the purpose and the means around the processing of personal data. Data Processors process personal data on behalf of a Data Controller. Many companies may function as both a Data Controller and Data Processor for different types of personal data. Companies must identify scenarios where they are processor or controller, and understand and implement compliance accordingly. If you are a data Controller or Processor , have you mapped out where you are processing EU customer data across different EU member states? For some service providers with infrastructure that is spread across multiple EU member states, knowing exactly where personal data is processed and stored is not a trivial task. Where Personal data is being transferred outside the EU there must be an appropriate transfer mechanism in place. Have you created a data processing register? A data processing register is a record of which personal data your business processes and who you share this data with. It is one of the first major milestones on the journey of becoming GDPR complaint and Not having one is, by itself, a trigger for a fine up to €10million. (C) Copyright 2019 ComplianceJunction. All Rights Reserved. 2

  3. Have you written up the correct Data Transfer Agreements? The GDPR states that it is illegal to send personal data to third parties to process it for your business without a written data processing agreement. Similarly, as a business you cannot act as the processor of data controlled by a third party entity without a data transfer agreement in place either. These data transfer agreements need to be properly drafted and signed before any GDPR Representative work should commence. Have you written up and published a Privacy Notice? A privacy notice is a public document that explains how your business processes personal data and how it applies data protection principles. A privacy notice should include information such as; What data your business collects. How your business collects your customer data. How your business will we use your customer data. How your business will store your customer data. It is also vital that a privacy notice is drafted and published prior to any GDPR Representative work commencing. Have you provided the contact information to your European customers as to whom your GDPR representative will be in the EU? Your customers must be informed about who they can contact in the event of a query with regard to their personal data and typically the EU GDPR representatives contact details must be shared on the foot of the company’s Privacy notices and other data protection statements. Have you assessed whether your GDPR representative has the right systems and resources required to deal with multiple supervisory authorities simultaneously? Notwithstanding the right to nominate a supervisory data protection agency, your GDPR representative may be obliged to deal with multiple supervisory authorities at the same time. (C) Copyright 2019 ComplianceJunction. All Rights Reserved. 3

  4. Have you documented the most appropriate processes to manage communication and reporting with your EU GDPR representative? Regular SARs (subject access requests), and other data protection requests from your customers in the EU will have to be tracked and their status monitored closely the EU representative can assist with this tracking. The GDPR has laid down strict guidelines on when and how data controllers and data processors must provide responses to the regulators and customers. Have you mapped out the different EU languages that your GDPR representative will have to support? There are twenty-four official languages in the EU. Some US companies may be obliged to provide support in multiple languages for multiple data protection regulatory agencies across multiple EU member states. Disclaimer - Always consult an expert. This checklist is composed of general questions about the measures your organization should have in place to ensure GDPR compliance and does not qualify as legal advice. Successfully completing this checklist does not guarantee that you or your organization are GDPR compliant. You should always consult a GDPR compliance expert. (C) Copyright 2019 ComplianceJunction. All Rights Reserved. 4

More Related