Absence of establishment in the EU and notification of the DPO
To which supervisory authority should a notification of the DPO designation be addressed for entities not established in the Union?
Notification to the supervisory authority of the designation of a DPO by the entities indicated in Article 3(2) of the GDPR should be made to the supervisory authority in the Member State where the controller's representative in the EU is established.
To entities (controllers and processors) that are not established in the EU, the GDPR may apply, including with respect to the obligation to designate a data protection officer, when their processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
Such controllers and processors should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under GDPR (Article 27 (5) of the GDPR, Recital 80).
To which authority should such entities address notification of the designation of a DPO? Using the analogy of the personal data breach notification obligation and the guidance provided in the context of this obligation for entities that are not established in the EU in the Article 29 Working Party’s Guidelines on Personal data breach notification under Regulation 2016/679 (WP 250), notifications related to the DPO should be addressed to the supervisory authority in the Member State where the controller's representative is established. In the case of data protection breach notifications, the WP commented as follows: „(...)Where a controller not established in the EU is subject to Article 3(2) or Article 3(3) and experiences a breach, it is therefore still bound by the notification obligations under Articles 33 and 34.
Article 27 requires a controller (and processor) to designate a representative in the EU where Article 3(2) applies. In such cases, WP29 recommends that notification should be made to the supervisory authority in the Member State where the controller’s representative in the EU is established. Similarly, where a processor is subject to Article 3(2), it will be bound by the obligations on processors, of particular relevance here, the duty to notify a breach to the controller under Article 33 (2).”