Ovaj tekst je primarno upućen non-EU poslovnim entitetima koji obrađuju osobne podatke osoba u EU, stoga nastavljamo u revijalnom tonu na engleskom jeziku, tekst preuzet s relevantnog GDPR foruma:
If You are a Controller/Processor established outside the EU and subject to the GDPR, You have to designate a Representative in the Union unless an Exemption criteria is met.
In this regard, the recent EDPB 'Guidelines on Territorial Scope' has summarised that:
1. The Representative may be a natural/legal person established in the Union.
2. A Representative can be appointed based on a Service Contract concluded with an individual/organisation.
3. A Representative can also act on behalf of several non-EU controllers/processors.
4. The Establishment of the Representative is the location of data subjects whose personal data are processed.
5. The controller or processor must provide to its Representative accurate/updated information for maintaining the Record.
6. He/she cooperates with the competent DPA about any action taken to ensure compliance.
7. The EDPB doesn't consider the function of representative in the Union as compatible with the role of DPO.
8. Art. 27(2) foresees derogation from the mandatory designation. 9. Enforcers are enabled to initiate enforcement actions against a representative in the same way as against controllers or processors, including administrative fines and penalties, and liabilities.
Ove obveze odnose se i na poslovne subjekte iz non-EU zemalja u regiji.