Authors: Gerrit Hornung
(17) ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
I. Introduction
The GDPR defines the term “representative” but does not use it consistently, which is hardly surprising given its meaning in common parlance. In addition to the representative according to Art. 4 no. 17, there are also “representatives” of data subjects (Art. 35 para. 9), of involved parties in the EDPB (Art. 68 para. 3-5) and of third parties (Art. 76 para. 2).
II. Legal background
The term ‘representative’ was also contained in the DPD, albeit in a rather narrow sense (Art. 4 para. 2 DPD). More concretely, under the DPD the representative solely referred to the controller; whereas the GDPR captures both controllers and processors, who must designate a representative in the EU (→ Art. 27 mn. 2).
III. Analysis
Like some other definitions in Art. 4, no. 17 also mixes definitional elements with attributes that are in substance admissibility requirements. The latter applies in particular to the requirement of written form. The wording corresponds with Art. 4 no. 14 Council-R with the exception of the extension to processors, which, as with Art. 27, was included in the trialogue. The representative is to be designated in accordance with Art. 27 para. 1 if the GDPR is applicable as per Art. 3 para. 2 to controllers or processors in third countries; the provision serves the (limited) enforcement of the resulting obligations. The identity and the contact details of the representative must be provided to the data subject when the data is collected (Art. 13 para. 1 lit. a → Art. 13 mn. 6 and Art. 14 para. 1 lit. a → Art. 14 mn. 3). He has his own obligations under Art. 30 and Art. 31 and is the addressee of investigative measures under Art. 58 para. 1 lit. a. The extent to which additional obligations exist is controversial (→ Art. 27 mn. 26 et seq.).
No. 17 explicitly permits natural or legal persons as representatives. The only further explicit requirement for the representative is the establishment in the Union (Art. 52 TEU, Art. 355 TFEU), which is further restricted by Art. 27 para. 3 (→ Art. 27 mn. 19 et seq.). The concept of establishment corresponds to that of Art. 3 para. 1[1] (→ Art. 3 mn. 16 et seq., → Art. 27 mn. 20). In contrast to DPOs (Art. 37 para. 5), no special training or qualification is required; however, it is necessary that the representative or his employees have the personal skills (such as expert knowledge or reliability) to fulfil the tasks assigned to them in accordance with the GDPR.[2] Since this concerns the comprehensive representation of the controller or processor under the (entire) GDPR, a corresponding qualification in data protection law is indispensable.
Incompatibilities are not regulated in the GDPR. The representative may therefore simultaneously engage in other activities, e.g. as a lawyer or a consultant. It is also permissible to act as a representative for several controllers or processors from third countries, as long as there are no conflicts of interest. Finally, a branch not covered by Art. 3 para. 1 may be designated as representative (→ Art. 27 mn. 12).
[…]
[1]Martini in Paal/Pauly Art. 27 mn. 48; Piltz in Gola Art. 27 mn. 19; see also Tosoni, ‘Art. 4(17)’, in Kuner/Bygrave/Docksey, p. 241.
[2]Martini in Paal/Pauly Art. 27 mn. 25; Tosoni, ‘Art. 4(17)’, in Kuner/Bygrave/Docksey, p. 241; disagreeing: Kremer in Schwartmann et al. Art. 27 mn. 20.