Kaleidoscope Data Privacy Consultants provides Data Protection Representative (DPR) services to organisations based in third countries for regulatory compliance with the EU General Data Protection Regulation (GDPR).
The relevant sections of the law are provided below and the links to the specific articles also include cross-references the to referring EU GDPR recitals.
We offer specific response protocols for clients that process health data, for example in the event of an adverse reaction in a clinical trial, and are happy to develop tailored protocols for other industry sectors.
Where clients choose, we offer dedicated landing pages on our website (see here), as well as dedicated email addresses, telephone numbers, and other customised communication channels as required fro inclusion in statutory notices, e.g. Privacy Notices and Informed Consent Forms.
Chapter I – General provisions: Territorial Scope
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
GDPR article 27 says:
Chapter IV – Controller and processor Section 1: General obligations: Representatives of controllers or processors not established in the Union
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
2. The obligation laid down in paragraph 1 of this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.
3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.