The GDPR is the General Data Protection Regulation (Regulation (EU) 2016/679), an EU Regulation which will govern processing of personal data across all European Union member states, and by foreign individuals and entities to the extent that they process the personal data of individuals in the European Union.
GDPR will apply to your organisation if you:
- have an establishment in the European Union (EU); and/or
- offer goods or services into the EU or you monitor the behaviour of people within the EU.
You will need to appoint a DPO if:
- you are a public authority or body (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
An EU Representative is the representative of a non-EU organisation in the EU under GDPR.
You will need to appoint an EU Representative if GDPR applies to your organisation, you have no establishment in the EU and no exemption applies.
You will be exempt from appointing a representative if all of the following requirements are met:
- the processing of personal data is only occasional,
- it does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences, and
- it is unlikely to result in a risk to the rights and freedoms of natural persons.