| > I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR. Lots of people are responding to the DPO side of this sentence, saying that it's not as onerous as the author of this article is making it sound, but as someone who's also not based in the EU it's the "EU Representative" part that I'm more worried about myself. Article 27 says: > (1) Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union. Article 3(2) is the bit that says the GDPR applies to processing outside the EU of EU citizens' data etc. > (2) The obligation laid down in paragraph 1 of this Article shall not apply to:
> a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
> b) a public authority or body. It's clear here that not everyone outside the EU needs to have an EU representative, but 2a is wordy and confusing enough that it's real hard for a non-EU non-lawyer to figure out with certainty whether or not they need one. The ambiguous combination of 'and's and 'or's don't help, but 'unlikely to result in a risk to the rights and freedoms of natural persons' sounds like something that's ambiguous enough on its own that you might need an EU lawyer to actually interpret it. |