There are several provisions of DGA, DMA, DSA and the proposed EHDS that intersect those of the GDPR coming to realize on various issues a composite discipline from multiple sources.
In this round, we will focus on the news concerning the EU representative, data brokering, data reuse, and data subjects’ methods of control.
EU Representative
Similarly with the provisions of Article 27 of the GDPR, both the DGA and DSA include the obligation to designate an EU representative.
According to the DGA, if a data intermediation service provider not established in the Union offers services in the Union, it must designate a legal representative to act on its behalf, regarding its obligations under the DGA. In case of a violation, the competent authorities may initiate enforcement proceedings against a non-compliant data intermediation service provider not established in the Union, through its representative. [Recital (42) and Articles 2(21) and 11(3)].
According to the DSA, intermediary service providers who are established in a third country and offer intermediary services in the Union must designate a legal representative in the EU, vested with an appropriate mandate and having the necessary powers and resources to cooperate with the relevant authorities. The designated legal representative can be held liable for failure to comply with obligations under the DSA.
Unlike the representatives under the DGA and DSA, the GDPR representative, on the other hand, is not liable for violations of the General Regulation made by its principals.
The three acts of the GDPR, DGA and DSA are aligned in establishing that the designation of a legal representative within the Union does not entail the creation of an establishment in the Union [Recital (44) and Article 13, DSA].
Finally, for EHDS, the manufacturer of an electronic health record system established outside the EU shall appoint its own authorized representative before placing the system on the EU market (Art. 18, EHDS).
The obligations to designate EU representatives contained in the regulations referred to are complementary to, and not a substitute for, the one in Article 27 of the GDPR, so in practice different mandates will have to be considered, but it is believed that they may also converge on the same entity, natural or legal person.