The data representative, a key player in your global compliance strategy

With the advancement of second generation data protection regulatory frameworks in Latin America, new obligations have emerged in the region.

In this context, and considering the extraterritorial application of personal data regulations, the concept of a “legal representative” in the country where the data is collected has been introduced. This requirement first appeared in the EU General Data Protection Regulation (“GDPR”) and was subsequently adopted by later regulations.

In Latin America, in particular, there is a broad spectrum of personal data regulations, which may be categorized as either first-generation or second-generation laws. Generally, first-generation regulations in Latin America predate the GDPR and do not include the new obligations, including the appointment of a representative. By contrast, post-GDPR regulations, mainly inspired by the European model, undertake these new obligations.

Recently, the Ibero-American Data Protection Network issued an open letter addressed to companies that process personal data on a large scale within the jurisdictions of its member states, particularly those not domiciled in those countries. The letter encourages such companies to designate a representative before the local Data Protection Authority, with the necessary legal and administrative powers to act in data protection matters.

Although the designation of a local representative is not mandatory in most Ibero-American Data Protection Network member states, it remains a significant recommendation for companies and acts as an incentive for data protection authorities in member states to consider incorporating this requirement into their national regulations.

In this regard, below is a review of Latin American countries that require the appointment of a local representative or a Data Protection Officer (“DPO”) to serve as a point of contact for data protection matters within the country.

Representatives’ obligations under regional regulations

• Representatives in the country

Regardless of the date of enactment of the local regulations, and whether they are considered as either first-generation or second-generation, the role of the controller’s or processor’s representative in the country has not been widely incorporated in the different regional regulations.

It is worth pointing out that the obligation to appoint a local representative is not present in the Iberoamerican Standards (a soft law document created by the Iberoamerican network of data protection agencies on Latin America) and also Convention 108+ does not request its member to implement the obligation to appoint a local representative.

This obligation has only been regulated under the data protection laws in Ecuador and Jamaica. In Jamaica, the law only determines the controller’s obligations to name a representative within the country, unlike Ecuador and GDPR that places the obligation on both controller and processor.

Moreover, the Uruguayan data protection authority issued Decree 64/2020 under which the authority regulates the possibility of both controller and processors not located in Uruguay to appoint a legal representative within the country. This is considered not mandatory, but only a good practice.

• Data Protection Officer

Although the role of the representative under the GDPR is different from that of the DPO, with different characteristics and responsibilities, in Latin America the DPO often becomes an important figure and a local point of contact.

In practice, when companies are not established in a country where the regulation requires the appointment of a DPO, the person designated as DPO usually takes on the role of being both DPO and a local representative figure in the country. This is commonly adopted as a practical solution to facilitate communication with both authorities and data subjects.

In general, second-generation data protection laws have introduced specific regulations regarding the DPO role, and even some first-generation frameworks have incorporated this obligation through resolutions issued by national data protection authorities.

The countries in the region that provide for the obligation to appoint a DPO are Brazil, Ecuador, Jamaica, and Uruguay. Also, Chile has recently enacted a new data protection law, which will enter into force on Decembre, 2026, that regulates the figure of the DPO.

No representation or contact requirements

In other Latin American countries such as Argentina, Colombia, Costa Rica, Mexico, Nicaragua, Panama, and Peru no specific representation or DPO appointment is required under the applicable law.

In these cases, when companies have a presence in more than one country in the region, or are subject to stricter regulations, whether within Latin America or under the rules applicable to their head office, it is common practice to appoint a DPO within the region or to establish specific channels for communication with the authority and data subjects, as needed.

Summary table

PABLO A. PALAZZI
&
MERCEDES ELASKAR

argentina@lexing.network

Many companies operating internationally are subject to the obligations of the General Data Protection Regulation (GDPR) without being established within the European Union. Under Article 3(2) of the GDPR, any private entity that offers goods or services to individuals located in the EU or monitors their behavior while they are in the EU must comply with the GDPR’s requirements, even if it has no physical presence in Europe.

This situation results in a key obligation: the designation of a representative in the European Union, in accordance with Article 27 of the GDPR.

Are you processing European data without being established in the EU?

If you process European data without being established in the EU, you have to comply with this legal obligation by designating a representative before the European authorities.

The representative function includes acting as a liaison for your organization for all personal data processing activities occurring within the EU, providing all necessary information regarding your data processing activities to supervisory authorities and data subjects.

It is recommended to designate a representative with expertise in data protection law and digital law in order to have a reliable and GDPR-compliant solution. By choosing the right representative, you will benefit from rigorous legal support and a local presence tailored to your needs, enabling you to operate with confidence in the European market.

Exceptions to the requirement to designate a representative

However, the designation of a representative within the EU is not mandatory if:

• your processing activities related to the EU are occasional, do not include, on a large scale, processing of personal data relating to criminal convictions and offences, and are unlikely to result in a risk to the rights and freedoms of natural persons;
• you are a public authority or public body.

FREDERIC FORSTER

france@lexing.network

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the draft rules framed under it (the “Draft DPDP Rules”, and, collectively with the DPDP Act, the “DPDP Framework”) apply to the processing of digital personal data within the territory of India, or outside the territory of India, where such processing relates to the offering of goods or services to Data Principals within the territory of India. (1)

The DPDP Framework mandates the appointment of a data protection representative whose role depends on the nature of the Data Fiduciary (controller). These representatives serve not only as the local interface for data subjects and regulators, but also as designated agents of compliance for the businesses they represent.

We also briefly reference herein the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the “Intermediary Rules”), framed under India’s Information Technology Act, 2000 (“IT Act”), under which certain representatives need to be appointed, as well.

Regulatory Representatives under the DPDP Framework

There are two (2) kinds of representatives that may be appointed: a data protection officer, or a data protection contact point.

Data Protection Officer

Under the DPDP Framework, Data Fiduciaries are the persons (including entities) that determine the purpose and means of processing such data, (2) while Data Principals are the individuals to whom the personal data relates. (3)

Among Data Fiduciaries, an entity may be classified as a Significant Data Fiduciary (“SDF”) (4) by the Central Government, based on factors such as volume and sensitivity of the personal data processed, risk to rights of the Data Principals, the potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order. SDFs are mandated to appoint a Data Protection Officer (“DPO”). (5)

The DPO serves as the representative of the SDF under the provisions of the DPDP Act, and must be based in India. The DPO is also the point of contact for the grievance redressal mechanism under the DPDP Act. The DPO must report to the SDF’s Board of Directors or equivalent governing body, emphasising the role’s strategic importance. (6)

The contact details of the DPO must be published by the SDF to enable Data Principals to raise queries concerning the processing of their personal data. (7)

Data Protection Contact Point

In the absence of a DPO, the Draft DPDP Rules require all Data Fiduciaries to publish prominently on their website/app, and mention in all responses to communications for the exercise of Data Principal rights, the business contact information of a person able to answer the Data Principal’s questions. (8)

Unlike a DPO, the Draft DPDP Rules do not set out specific requirements with respect to this person. However, such person should be able to address the Data Principal’s queries on the processing of their personal data on behalf of the Data Fiduciary.

Regulatory Representatives under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

In India, under the Intermediary Rules, entities that are classified as ‘Significant Social Media Intermediaries’ (SSMIs) (9), and online gaming intermediaries that enable users to access any permissible online real money games, are required to appoint certain representatives to ensure accountability and responsiveness. (10)

Chief Compliance Officer

The Chief Compliance Officer (“CCO”) must be an employee of the intermediary, resident in India, and holding a position as a key managerial personnel or other senior role. (11)

The CCO is responsible for ensuring the intermediary’s compliance with the provisions of the IT Act and the rules framed under it. The CCO may be held liable in any legal proceedings relating to any relevant third-party information, data or communication link made available or hosted by that intermediary, where he/she failed to ensure that such intermediary observed its due diligence obligations under the IT Act. (12)

Nodal Contact Person

A nodal contact person, also a resident in India, is a representative apart from the CCO who must be appointed to coordinate with law enforcement agencies, and to ensure round-the-clock availability for coordination. (13)

Grievance Officer

All intermediaries governed by the Intermediary Rules are required to appoint a Grievance Officer, who is responsible for acknowledging user complaints within twenty four (24) hours and resolving them within fifteen (15) days from receipt. (14)

For SSMIs and online gaming intermediaries, the Grievance Officer must be a person who is resident in India. (15)

Conclusion

There is clear regulatory intent to require the appointment of local data protection representatives across various technology laws in India. These requirements seek to ensure domestic accountability and prompt responsiveness from businesses.

We have set out above a short summary covering certain relevant laws. Understanding the areas of representation, and the necessary qualifications and requirements with respect to each such representative, then aids in framing a coordinated global strategy, on such representation.

*****

(1) Section 3, DPDP Act

(2) Section 2(i), DPDP Act

(3) Section 2(j), DPDP Act

(4) Section 2(z), DPDP Act

(5) Section 10(2)(a), DPDP Act

(6) Ibid.

(7) Draft Rule 9, draft DPDP Rules

(8) Ibid.

(9) Rule 2(1)(v), Intermediary Rules

(10) Rule 4(1), Intermediary Rules

(11) Explanation to Rule 4(1)(a), Intermediary Rules

(12) Rule 4(1)(a), Intermediary Rules

(13) Rule 4(1)(b), Intermediary Rules

(14) Rule 3(2), Intermediary Rules

(15) Rule 4(1)(c), Intermediary Rules

SIDDHARTHA GEORGE
&
HARINI SUDERSAN
&
SATYAJIT R NAIR

india@lexing.network

Introduction

In a broader context, under several legal frameworks, appointing a regulatory representative may be required in Portugal.

As a European Union Member State, Portugal follows EU Regulation 2016/679 of the European Parliament and of the Council – commonly known as the General Data Protection Regulation (GDPR). GDPR has been directly applicable since 2018 and is supplemented domestically by local laws.

Enforcement of privacy laws must also consider specially designed legal frameworks in specific contexts, such as the workplace (employee monitoring), health care services (genetic information), surveillance and security, and direct marketing.

The Comissão Nacional de Proteção de Dados (CNPD) is the independent national authority responsible for monitoring compliance with the GDPR and local laws, issuing guidance and opinions, investigating complaints and data breaches and imposing administrative fines.

The Data Protection Officer

The DPO (1) ensures that an organisation complies with applicable data protection laws. As such, the DPO plays a key role in guaranteeing that the processing of personal data, whether relating to staff, customers, or other individuals, is carried out in accordance with GDPR requirements.

Article 37 of the GDPR outlines the circumstances in which the appointment of a DPO is mandatory. These include situations where:

the organization is a public authority or body; or

the core activities of the organisation consist of regular and systematic monitoring of data subjects on a large scale; or

the organisation processes special categories of data (e.g., health, genetic, or biometric data, racial or ethnic origin, political opinions, etc.) on a large scale.

The DPO serves as a contact point between the data controller, data subjects, and the CNPD.

The DPO’s key responsibilities include:

informing and advising the data controller and employees involved in processing regarding their obligations under data protection law;

monitoring compliance with the GDPR and other applicable legislation;

advising, where requested, on data protection impact assessments (DPIAs);

cooperating with the CNPD and acting as its primary point of contact.

Appointment of the DPO

Organisations must first assess whether the appointment of a DPO is legally required. If so, the selected individual must have expert knowledge of data protection law and practices and a solid understanding of the organisation’s operations. No professional certification is required.

The DPO can be an employee, an external consultant, or a service provider. They must act independently, without receiving instructions regarding the performance of their tasks, and without any conflict of interest.

The DPO should not be appointed on a short-term or fixed-term contract to ensure continuity. The appointment must be formalised in writing – either as an internal decision or through a service agreement – and notified to the CNPD via its online platform. The notification must include:

the full name of the DPO;

their contact details;

whether the appointment is internal or external.

Once appointed, the organisation must inform staff and data subjects of the DPO’s identity and make their contact details publicly accessible, such as in privacy policies.

Conclusion

The Data Protection Officer is not only a legal requirement under the GDPR, but also a key figure in maintaining compliance with data protection laws and safeguarding the rights of data subjects in the European Union.

*****

(1) Articles 37, 38 and 39 of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016

JOÃO G. GIL FIGUEIRA

portugal@lexing.network

If you are located outside South Africa and process personal information in South Africa, you need to appoint an authorised representative in South Africa.

Do you process personal information in South Africa?

More precisely, does your organisation make use of means or equipment located in South Africa to process personal information? If so, the Protection of Personal Information Act (POPIA) (1) applies and you must comply. Examples of means or equipment includes:

• a user’s personal computer (PC) or MacBook,
• a mobile or fixed line phone,
• any recording equipment, like a recorder,
• any computer hardware or software,
• cameras,
• books, sensors,
• terminals, servers, or data centres.

The net is actually therefore very broad – if for example your website is accessible by someone in South Africa on their computer or mobile phone and you collect their personal information, you process in South Africa and therefore must comply. It is not true that organisations domiciled outside South Africa do not need to comply with POPIA and that the regulator cannot enforce POPIA against them.

If you use means or equipment in South Africa to process personal information, you must comply. This holds true even if you are domiciled outside South Africa.

However, there is an exception. If you use equipment (like a fibre optic cable) only to forward information through South Africa, POPIA does not apply to you.

Remember that process means processing by the responsible party (controller) or by an operator on its behalf (processor). So, if your operator is using means or equipment in South Africa to process personal information for you, you will have to comply.

Note that POPIA says “makes use of” not owns or controls. So if you use your or someone else’s equipment in South Africa to process personal information, you must comply.

A POPIA representative for South Africa

With the extra-territorial nature of data protection laws like the GDPR, many organisations are already familiar with the requirement to appoint a Data Protection Officer (DPO) or representative within certain jurisdictions. South Africa’s POPIA introduces similar obligations, requiring non-resident companies processing personal information in South Africa to appoint an authorised representative within the country.

Do you have a physical presence in South Africa? If not…

Our service includes registering your organisation and its default information officer (typically your CEO or Managing Director) with the South African Information Regulator (2). We act as the authorised point of contact for any regulatory communications, forwarding them to your designated person without taking any further actions on your behalf. This ensures that your organisation remains in control of all compliance-related decisions, while satisfying the regulatory requirement of having a local representative.

What is a South Africa representative?

A South African POPIA representative is largely the same as an EU GDPR representative in South Africa. It is a data protection representative in South Africa, specifically for organisations not established in South Africa, allowing the Information Regulator to communicate with you.

This data protection representative is not the same as an information officer (3), but rather supports the information officer in their duties by acting as a conduit between the Information Regulator and the information officer. If the Information Regulator needs to contact a responsible party (or data controller, in GDPR terminology) established outside of South Africa, they will contact the responsible party’s appointed POPIA representative in South Africa, who will refer the matter up the chain to the responsible party.

Further information

• https://www.michalsons.com/focus-areas/privacy-and-data-protection/do-you-need-a-south-africa-representative
• https://us02web.zoom.us/clips/share/8pmEeeDgRfyPpYal6FNDPw
• https://lexing.network/appoint-a-south-africa-dpo-representative/

*****

(1) https://popia.co.za/

(2) https://inforegulator.org.za/

(3) https://www.michalsons.com/focus-areas/privacy-and-data-protection/information-officer-popi-paia

JOHN GILES

southafrica@lexing.network

• Under Article 27 of the General Data Protection Regulation (GDPR), appointing a GDPR representative in Spain is mandatory for data controllers and processors not established in the European Union who process personal data of individuals located in Spain.

  Scope of application

  This obligation applies to non-EU companies that either:

  • offer goods or services to individuals in Spain, or
  • monitor the behaviour of individuals in Spain, for instance through the use of tracking technologies or behavioural profiling.

  Crucially, this requirement applies even if the company has no physical presence within the EU. The Spanish Data Protection Authority (AEPD) enforces a strict interpretation of this scope. Limited exceptions exist but are narrowly construed. These include cases of occasional, low-risk processing that is unlikely to affect individuals’ rights and freedoms. Additionally, foreign public authorities are exempt, as provided in Article 27.2 GDPR.

  Representative’s duties

  The EU Representative acts as the official point of contact in the EU for both data subjects and supervisory authorities, and is authorised to receive legal and administrative communications on behalf of the controller or processor.

  Their responsibilities include:

  • acting on behalf of the non-EU company in relation to its GDPR obligations (1);
  • receiving and responding to data subject requests, regulatory notices, and legal communications;
  • cooperating with supervisory authorities in investigations or audits;
  • maintaining documentation on data protection compliance, including records of processing activities (RoPA) and evidence of lawful consent (2).

  Importantly, the GDPR requires that the identity and contact details of the EU Representative be clearly stated in the privacy policy provided to data subjects (3). Failure to include this information may constitute a breach of GDPR transparency obligations.

  The EU Representative must not be confused with the Data Protection Officer (DPO). While the DPO advises the organisation internally on privacy compliance and monitors implementation, the Representative is a designated external point of contact who acts under a mandate and does not hold an independent oversight or advisory function.

  Specific requirements in Spain

  In Spain, the appointment of the GDPR Representative is an internal matter between the controller or processor and the designated representative. There is no requirement to formally notify or register the appointment with the AEPD.

  However, the representative must be able to produce written documentation of their mandate upon request from the AEPD, particularly during an investigation or enforcement action. This mandate should be duly signed, dated, and retained by both parties as proof of compliance with Article 27 GDPR.

  Although no formal registration is required, the representative should have:

  • a real and operational presence in Spain (especially if the company targets Spanish residents).
  • the capability to manage communications in Spanish with authorities and data subjects.
  • sufficient technical and human resources to handle data protection queries in practice.

  Sanctions and enforcement

  Spain’s Organic Law 3/2018 on Data Protection considers the failure to appoint a representative when required a serious infringement.

  Such a breach can lead to:

  • administrative fines of up to 2% of the company’s total global annual turnover, and
  • fines of up to €10 million for providing incomplete or misleading information to the AEPD.

  *****

  (1) Article 27 GDPR

  (2) Articles 27.4 and 30 GDPR

  (3) Articles 13(1)(a) and 14(1)(a) GDPR

  MARC GALLARDO

  marc.gallardo@lexing.es