It is quite refreshing to be able to be definitive with regards a question on email marketing; not something which I am all that familiar with, but I’ll give it a go. You require a European representative if you are a UK-based controller or processor with no offices, branches or other establishments in the EEA, but you are offering goods or services to individuals in the EEA or monitoring their behaviour. It’s more involved for the rest.
If you thought the EU’s Adequacy decision with regards our compliance with the EU GDPR meant we did not need a European representative, then I’m sorry to say you are probably wrong. I accept that it’s an additional burden for SMEs, but I’m not sure the EU cares.
If you have no base in the EU, you need to appoint a representative in an EEA or EU state in which some of the people whose personal data you are processing live. Their function is to represent you with regards your obligations under the EU GDPR. There are a number of companies offering this service.
As ever, you need to ensure that all your processes are clear, and your appointment of your representative must be in writing. Anyone engaged in email marketing and following the ICO’s requirements will, probably, be able to predict a representative’s function. That’s to cooperate with the supervisory authorities, and help communication between those in the member states you hold data on and, obviously, keep a record of all their activities. This last is a requirement under Article 30 of the GDPR.
The supervisory authority, no longer our ICO, will pursue any enforcement actions through your representative for any non-compliance. An outsider being responsible for your actions might well make you consider liaising regularly with them to ensure that they comply with your requirements.
Your privacy policies should display your representative’s contact details. You should ensure that they fully understand your data flows and, probably, be aware of any previous breaches non-compliance with what now is the UK GDPR. Part of their function would be to maintain your Records of Processing Activities (RoPA). And there’s more. It is best to follow the ICO’s guidance on the matter.
Your representative will be obliged to cooperate with the EU supervisory authorities and to assist communications between those in the EU and your organisation. It’s clearly quite a commitment. On the more positive side, under the UK GDPR, a similar obligation is placed on companies in the EU in similar situations.
If you’re processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data, the regulations say you have no need to appoint a representative. Also, matters are a bit different for public authorities.
Further information is available, as always, on the ICO website, and it goes into considerable detail. The EDPB published guidelines on appointing a representative, including whether you need one or not, and is, I suggest, required reading.