Organizations in India needs a representative in EU who will be registered with Data protection authority on your behalf. This is one of the prime areas where a lack of knowledge is placing non-EU companies at risk of GDPR fines is the representative obligation under Article 27.
Article 27- Representation of controllers and processors not established in European Union is applicable to non-EU clients too, although in our experience too often the response is incredulity; why should they worry about a new law in the EU when they have no base of operations in Europe?
In case where a non EU data controller or processor is offering goods or services (paid or free) services (paid or free) to EU data subjects, or is monitoring the behavior of data subjects within the EU, the data controller or processor must designate in writing a representative in the EU.
Representatives are legal or natural persons who represent the controller or processor with respect to their obligations under the GDPR and must be established in the same Member State as the data subjects who are being monitored or to whom goods or services are offered. Exceptions apply if the data controller or processor: •is a public sector body; or •only processes on occasion, does not process large amounts of special data, and is unlikely to result in a risk for the rights and freedoms of individuals.
Article 27 requires companies that are not established in the EU, but that monitor or process the personal data of people within the EU, to appoint an EU-based representative to act as their Europe-facing point of contact for individuals and local data protection authorities. The purpose of this is simple: It ensures that EU citizens will be able to contact the controllers and processors outside of Europe that hold their personal data, without having the potentially confusing, difficult and costly efforts required to contact them at their base.
So why is the message on the representative not reaching the companies obliged to appoint one?
Companies outside of Europe that have appointed a privacy consultant will be receiving the benefit of that consultant’s expertise in respect of applying the GDPR to the specifics of their business, but, for companies that have chosen to go it alone, they will largely be basing their preparations on materials coming out of the EU – none of which will mention the representative, because that obligation doesn’t apply to anyone in the EU.
The result? Many companies around the world, even those that are taking seriously their preparations for the GDPR, are going to be in breach of this obligation and in line for a potential administrative fine of up to 10 million euros or 2 percent of global turnover.
Companies who are still thinking about GDPR compliance needs to hurry as some supervisory authorities have started penalty for late registration. So if you have not already done so please initiate the process as it will viewed as a breach of the law . The earlier its done the lesser the fines for your company.
Do contact usif you wish to have GDPR compliance solution for your business and help your organization Stay One Step Ahead !