We're wrestling with the requirement in GDPR for processors established outside the EEA to appoint an in EEA designated representative. GDPR recital 80 appears to require a designated representative within the Union where data processors would otherwise meet the criteria in article 37(1) to appoint a DPO. We've examined the WP29 opinion 16 EN WP 243 on data protection officers which recommends appointment of a DPO as a matter of good practice for processors.
We have instances in which third party suppliers are refusing to appoint anyone within the EEA and wish to rely on staff that they employ in third countries. Has anyone else encountered this and what approach have they taken when undertaking their supply chain audits?
As we cannot get commitment from some suppliers to appoint anyone in the EEA we are considering looking at these on a case by case basis and asking for the DPOs mandate, written job description and reporting line, evidence of how the DPO was selected and what continuing professional development they're undertaking so we can demonstrate some level of due diligence. Has anyone come across this situation and how have they handled it?