Board/Forum registration

1. If, we do not have to register to a board or forum, how does disputes of breaching being dealt with? To who do you report, except to the counterparty of the breach?

If you offer goods or services to people in the EU, or if you are monitoring the behavior of people in the EU, you are subject to GDPR, according to Article 3 GDPR – Territorial scope. In this case, you need to assign an EU Representative, according to Article 27 GDPR - Representatives of controllers or processors not established in the Union. This EU Representative can be one of your subsidiaries in the EU, or if you don’t have one, a consultancy company/ other company which can represent you in the relationship with a Supervisory Authority. That Supervisory Authority becomes the Lead Supervisory Authority, and Data Subjects can file complaints/ notifications to it. In your Privacy Notice, you need to mention the Lead Supervisory Authority. If you have a personal data breach that results in risks to the freedoms and rights of data subjects, you also need to report that data breach within 72 hours of its discovery, to the Lead Supervisory Authority.

For example, you could designate in writing an EU Representative in Poland. In that case, the Polish Supervisory Authority will be the authority you need to report to.

2. If, we need to be compliant by the 27th December 2022; how will that be determined without being registered at a forum?

The new Standard Contractual Clauses must replace the old agreements by December 27, 2022. This is the responsibility of both the exporter of the personal data (the company in the EU) and the importer of the personal data (your company). The referenced Supervisory Authority is usually the one in the country of the data exporter. For example, if you receive personal data from France, the supervisory authority mentioned in the SCC should be the French Supervisory Authority, CNIL.

At Advisera, we have an EU GDPR Documentation Toolkit that could help you in your GDPR Compliance Journey. As part of the documentation, we have templates for Privacy Notices (necessary to mention the Lead Supervisory Authorities), a Data Breach Response and Notification Procedure, a Data Breach Notification Form to the Supervisory Authority, a template for the designation of an EU Representative, an International Personal Data Transfer Procedure as well as guidelines on how to fill the Standard Contractual Clauses. Also, you have Email support, Expert review of a document, One hour of live one-on-one online consultations with a GDPR expert,

Please also consult these links:

• Article 3 GDPR – Territorial scope: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• Article 27 GDPR - Representatives of controllers or processors not established in the Union: https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/
• EU GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
• WP244 - Guidelines for identifying a controller or processor’s lead supervisory authority: https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf