What obligations apply to an entity acting as a representative? Which entity bears responsibility in the event of GDPR violations?
ANSWER
The basic role of a representative is to represent the controller or processor in respect of their obligations under the GDPR, as a rule in relation to the supervisory authority. Under Article 27(4) GDPR, when designating its representative, the controller or processor should ensure that other entities may contact that representative on all matters relating to processing. The provision gives examples such as supervisory authorities and data subjects. It expressly states that the representative may act in this respect (as the addressee of correspondence), replacing the controller or processor or acting alongside them.
In commentary on Article 4(17) GDPR concerning the definition of a representative, the following guidance can also be found:
The representative represents the controller or processor in respect of their obligations under the GDPR. In practice the representative will therefore perform obligations analogous to those of a data controller's representative within the meaning of Article 31a of the former Personal Data Protection Act — information obligations, data security, obligations arising from the data subject's information rights (cf. J. Barta, P. Fajgielski, R. Markiewicz, Ochrona, 2004, p. 627; A. Drozd, Ustawa, p. 213). The representative may also be the addressee of possible actions by the supervisory authority (cf. Recital 80 of the GDPR preamble) — Regulation (EU) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Commentary ed. P. Litwiński, 1st ed., 2018.
As a rule, the representative's role will therefore be limited primarily to contacts with the supervisory authority and exercising information rights vis-à-vis data subjects; however, as the guidance cited indicates, it may take on a broader dimension, e.g. data security. Moreover, the wording "in particular" used in Article 27(4) GDPR means that this is not a closed list.
As follows directly from Article 27(5) GDPR, designating a representative by the controller or processor does not affect the possibility of initiating proceedings against the controller or processor themselves.
The GDPR itself, contrary to the recitals, does not indicate in any provision the possibility of directing means of enforcing rights arising from the GDPR (or decisions issued on the basis of the GDPR) against the representative. In particular, the representative is not the addressee of claims based on Article 79 GDPR (the right to an effective judicial remedy against a controller or processor), nor compensation claims for infringement of the GDPR (Article 82 GDPR), nor decisions described in Article 58(2) GDPR.
Designating a representative therefore does not — regardless of how the parties structure the designation document — transfer liability for infringement of the GDPR resting on the controller and processor. Any divergent arrangements between the parties to the representative relationship will be ineffective vis-à-vis third parties. The question of fault on the part of the representative towards the controller itself should follow from contractual provisions between those entities.
