Representative and Data Protection Officer
As you will know Controllers are obliged to notify the competent supervisory authorities about the contact details of their Data Protection Officers (“DPO”) according to Art 37 (7) GDPR. Infringement of this statutory obligation can result in an administrative fine. According to Art 27 GDPR Controllers that are not established in the EU are required to designate a Representative within the EU in case GDPR applies to them. The infringement is again subject to administrative fines.
In Germany, notification on the appointment of a DPO had been delayed for technical reasons but is now implemented in each federal state. We fall into the competence of the Federal State of North-Rhine Westphalia for which the grace period end on December 31st 2018 and, therefore, may be fined beginning January 1st 2019 the latest.
We would therefore like to provide you with some more information on the requirements of both obligations
Any Controller or Processor that is not established in the EU is bound by GDPR when goods or services are offered to data subjects in the EU or the data subjects’ behaviour is monitored as far as the behaviour takes place in the EU and subsequently is obliged to designate a Representative. In our opinion any Registry or Registrar who either directly or whose Resellers target the European Market are bound by GDPR for the processing of personal data and therefore must designate a Representative.
Data Protection Officer
According to Art 37 a DPO must be assigned in case the processing activities of the company consist of processing operations which require regular and systematic monitoring of data subject on a large scale. Core activities relate to the primary activities of the controller and do not relate to processing of personal data as ancillary activities. This differentiation can be made based on the business purpose of the company and other factors. Specialist literature names some examples for situations in which processing of personal data shall be deemed core activity of a company, such as “Headhunters” and credit agencies.
For Registries, Registrars and Resellers one may argue that the core activity is to register and administer domain names and therefore no DPO must be assigned. However, the registration and administration of domain names is processing of personal data as account holders and registration data is processed. We consider it likely that courts or supervisory authorities will deem such services not only ancillary activities, but a core activity.
To avoid the risk of being in breach of the GDPR, we recommend that Registries, Registrars and Resellers assign a DPO and notify the supervisory authorities accordingly.
Our firm offers the service of a Representative and as an external DPO. Please do not hesitate to reach out to us with any questions you might have.