This post may contain affiliate links, which means we may receive a commission, at no cost to you, if you make a purchase through a link. Please see our full disclosure for further information. If not otherwise stated, all prices are intended in US$.
Note: This an impromptu post and doesn’t follow the quality standard of all my other post. I have originally published the following post on the wall of my Facebook Group Blogging for New Bloggers. After posting it, some very nice members asked how they could share it with fellow members in other Facebook groups. My Facebook group is private and so only members can see posts and posts are not shareable outside. So I copy-and-pasted my post below to allow members of my Facebook group to share it with their friends.
Hi New Bloggers,
There has been so much misconception and conflicting advice about the GDPR.
The latest false rumour is that if you’re based outside the EU, you MUST appoint an EU representative under the GDPR (which is quite expensive, prices range between $100 and $3,000 a year).
This is NOT true.
The appointment of an EU representative is NOT a mandatory requirement.
Article 27 of the GDPR comes with an exemption and therefore an EU representative doesn’t need to be appointed by default.
An assessment of their specific situation can be carried out by each blogger to determine whether they fit the criteria to apply the exemption and whether or not to appoint an EU representative accordingly.
Exemption: data processing which is occasional, does not include, on a large scale, processing of sensitive data or data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing.
Now, the problem here is that the GDPR doesn’t specifically define what “occasional” means. Some guidelines have been offered by the ICO with regard to the term “occasional” in Article 30 of the GDPR and a contrario in a few guidelines released by the Article 29 Working Party on the meaning of regular and systematic processing with regard to the designation of a Data Protection Officer (DPO) (which is a different thing from the EU representative!).
A strict interpretation of the provisions would point towards the necessity of appointing an EU representative in most cases but the GDPR comes with a lot of grey areas.
We will have to see how the provisions will be interpreted by the EU Courts but it’s safe to predict that when interpreting the meaning of occasional processing they will take into account whether the processing is more than incidental to the normal activities of your blog and whether if you don’t carry out the processing your blog would suffer a material negative impact and financial repercussions.
Even agencies providing EU representatives for companies outside the EU are advising their prospective clients that if the income generated through their processing activities amount to less than 10% of the annual turnover, they don’t need to appoint an EU representative.
Personally, I have appointed an EU representative but I only because, although I’m based in Australia, I own a law firm in Italy (EU) and so it was pretty easy and inexpensive to appoint one for me.
However, big pro bloggers and websites such as SmartPassiveIncome, AmyPorterfield, BackLinko, MakingSenseofCents, MelyssaGriffin and similar that have
1) millions of visitors
2) the financial resources to consult with the best lawyers for their GDPR compliance and/or to appoint an EU representative if so required
have all updated their privacy policies to the GDPR but have NOT appointed an EU representative.
They relied on the exemption with that kind of income and number of monthly visitors. No need to say that the average blogger’s data processing is definitely more occasional than theirs.
The bottom line is the appointment of an EU representative is not mandatory. It depends on the specific circumstances of your blog on a case by case basis. In most cases, the outcome of the assessment for new bloggers or small blogs will determine that you don’t need to appoint one. You can, if you like but you’re not required by law. If you decide not to appoint one, document your decision to comply with the accountability principle of the GDPR.
Please, please, please, I have said it already and I will say it again, please check the reliability of your sources* about the GDPR.
The GDPR is quite complex and non-compliance comes with many risks including fines up to EUR 20 million, complaints with supervisory authorities, reputational damage, loss of earnings, and even the possibility to get sued by your users.
You are the one risking this, not the authors of all these articles spreading myths and rumours.
Before I go, please let me bust another myth.
Blocking users from the EU is NOT the solution.
- The EU has already adopted an EU geo-blocking coming into force by the end of the year which prohibits unjustified geo-blocking, and other forms of discrimination, based on customers’ nationality, place of residence, or place of establishment. It applies to websites based in the EU at the moment, but it wouldn’t surprise me if they were to make one with worldwide application soon.
- Besides, the GDPR will soon be the new standard. Your blog will look spammy if you don’t comply, users will lose trust, brands may not want to work with you in the future if you’re not compliant etc. etc. Let me give you an example, if wherever you go you see sign up forms with checkboxes, what would you think of a blog that doesn’t have checkboxes on their sign-up forms?
Please take this stuff seriously.
If you don’t know much about the GDPR, you can read my post on the GDPR for bloggers and online entrepreneurs and if you need help with your GDPR compliance you can check this out.
*I’m a lawyer, I have a PhD in EU law, I have published several books, chapters and articles in academic journals on the subject of individuals’ rights, and I have taught EU law at several universities in different countries.