Article 25*
Article 25 – Representatives of controllers not established in the Union
Commission Proposal
1. In the situation referred to in Article 3(2), the controller shall designate a representative in the Union.2. This obligation shall not apply to:
(a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or 3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside. 4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself. |
EDRi’s proposed amendment
1. In the situation referred to in Article 3(2), the controller shall designate a representative in the Union.2. This obligation shall not apply to:
3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside. 4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself. |
Justification
The current wording of Article 25 states that businesses with fewer than 250 employees do not have to appoint a representative in the EU. This exception would make effective enforcement very difficult, if not impossible, causing a major loophole. Smaller companies can hold enormous numbers of records and should therefore appoint a representative in the EU in order to allow for effective enforcement of the Regulation. Without such a representative, a European DPA would have to go to a court in its own country to ask for confirmation of its jurisdiction if the data controller does not comply. This is extremely time consuming as well as ineffective, as nothing prevents a data controller from going to a court in its own place of residence asking for a contradictory ruling. We suggest to base the representation of the number of persons whose data are processed by a controller. This may relate to an employee, a customer, a prospect or a natural person in any other quality. The amount of personal data being processed should be the determining factor, not size of enterprise. Additionally, the exception for controllers established in third countries regarding which a positive adequacy decision has been issued should be removed.