Article 25*

Article 25 – Representatives of controllers not established in the Union

Commission Proposal

1. In the situation referred to in Article 3(2), the controller shall designate a representative in the Union.2. This obligation shall not apply to:

(a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or
(b) an enterprise employing fewer than 250 persons; or
(c) a public authority or body; or
(d) a controller offering only occasionally goods or services to data subjects residing in the Union.

3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.

4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.

Go to related Recital 63

Go to related Recital 64

EDRi’s proposed amendment

1. In the situation referred to in Article 3(2), the controller shall designate a representative in the Union.2. This obligation shall not apply to:

(a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or
(b) an enterprise employing fewer than 250 persons processing personal data relating to fewer than 250 data subjects; or
(c) a public authority or body; or
(d) a controller offering only occasionally goods or services to data subjects residing in the Union.

3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.

4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.

Justification

The current wording of Article 25 states that businesses with fewer than 250 employees do not have to appoint a representative in the EU. This exception would make effective enforcement very difficult, if not impossible, causing a major loophole. Smaller companies can hold enormous numbers of records and should therefore appoint a representative in the EU in order to allow for effective enforcement of the Regulation. Without such a representative, a European DPA would have to go to a court in its own country to ask for confirmation of its jurisdiction if the data controller does not comply. This is extremely time consuming as well as ineffective, as nothing prevents a data controller from going to a court in its own place of residence asking for a contradictory ruling. We suggest to base the representation of the number of persons whose data are processed by a controller. This may relate to an employee, a customer, a prospect or a natural person in any other quality. The amount of personal data being processed should be the determining factor, not size of enterprise. Additionally, the exception for controllers established in third countries regarding which a positive adequacy decision has been issued should be removed.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
  • EDRi.org
%d bloggers like this: