Can Your GDPR Rep Also Be Your EU AI Act Authorised Rep?

## Can Your GDPR Representative Also Be Your EU AI Act Authorised Representative? As non-EU manufacturers of medical devices and Software as a Medical Device (SaMD) navigate the evolving European regulatory landscape, the upcoming EU AI Act introduces a new compliance role: the Authorised Representative for AI systems. A common question arises for companies that have already appointed a GDPR Article 27 Representative: is it possible to consolidate these roles with a single provider? While theoretically possible, the answer is complex. A single entity can serve both functions, but only if it possesses the distinct and specialized competencies required for each mandate. The roles, while both focused on EU representation, address fundamentally different domains: data privacy and product safety. A GDPR Representative is primarily concerned with the processing of personal data and liaising with data protection authorities. In contrast, an AI Act Authorised Representative will be responsible for product conformity, technical documentation, and engagement with market surveillance authorities. For manufacturers of AI-enabled medical devices, making this decision requires a rigorous evaluation of a provider’s capabilities to ensure they can manage the unique risks and responsibilities of both regulations. ### Key Points * **Distinct Skill Sets Required:** The GDPR Representative role demands deep expertise in data privacy law and communication with Data Protection Authorities (DPAs). The AI Act Authorised Representative role requires technical and regulatory expertise in AI systems, quality management (like ISO 13485), risk management, and communication with Market Surveillance Authorities (MSAs). * **Divergent Responsibilities:** A GDPR Rep acts as a contact point for data subjects regarding their personal data. An AI Rep acts as a legal proxy for the manufacturer, holding technical documentation and cooperating in conformity assessments and post-market surveillance for the AI product itself. * **Liability and Risk Profiles Differ:** A failure in the GDPR role could lead to data breach notifications and significant fines related to privacy violations. A failure in the AI Act role could lead to product recalls, market withdrawal, and liability for harm caused by a malfunctioning AI system. * **Vetting is Critical:** Manufacturers must move beyond a simple checklist and conduct a thorough due diligence process. This involves assessing a provider's technical team, their understanding of medical device regulations (MDR/IVDR), and their operational capacity to handle incidents that may span both data privacy and product safety. * **Contractual Clarity is Non-Negotiable:** Any dual-role agreement must explicitly delineate the responsibilities, liabilities, and communication protocols for each regulatory framework to prevent ambiguity during a crisis. ### Understanding the GDPR Article 27 Representative The role of a General Data Protection Regulation (GDPR) Article 27 Representative is firmly rooted in the domain of data privacy. This mandate applies to non-EU based organizations that process the personal data of individuals within the EU. **Core Functions:** * **Primary Point of Contact:** The representative serves as the main contact for EU-based data subjects who wish to exercise their rights (e.g., access, rectification, erasure). * **Liaison with Authorities:** They are the official intermediary for communications with national Data Protection Authorities (DPAs). * **Record Keeping:** The representative must maintain a copy of the manufacturer's records of processing activities (ROPA) and make it available to DPAs upon request. The expertise required is legal and procedural, centered on data protection principles, breach notification protocols, and the interpretation of GDPR requirements. Their focus is on *how data is handled*, not on the safety or performance of the product that processes the data. ### The Emerging Role of the AI Act Authorised Representative The EU AI Act, particularly for high-risk AI systems like many medical devices, will establish the role of an Authorised Representative. This function mirrors the Authorised Representative role under the Medical Device Regulation (MDR) and is fundamentally about product safety and market compliance. **Expected Core Functions:** * **Product Conformity Verification:** The representative must verify that the manufacturer has carried out the appropriate conformity assessment procedures. * **Technical Documentation Access:** They are required to keep a copy of the EU declaration of conformity and the technical documentation available for inspection by national Market Surveillance Authorities (MSAs). * **Cooperation with Authorities:** They must cooperate with MSAs, providing information and taking necessary actions to mitigate risks posed by the AI system. * **Incident Reporting:** The representative will likely play a key role in forwarding notifications from the manufacturer to the relevant authorities regarding serious incidents and corrective actions. The expertise needed here is technical and regulatory. The representative must be able to understand AI risk management frameworks, quality management systems, clinical validation data, and the technical intricacies of the AI-powered device. ### A Practical Framework for Vetting a Dual-Role Provider Consolidating these roles is an exercise in risk management. A provider strong in GDPR but weak in AI technical compliance exposes the manufacturer to significant product-related liability. Conversely, a technical expert lacking deep GDPR knowledge creates data privacy risks. Manufacturers should use a structured approach to vet any provider offering a combined service. #### 1. Assess Technical and Quality System Expertise This is the most critical hurdle. The provider cannot simply be a legal or administrative service; they must have demonstrable technical depth. **Key Questions to Ask:** * **Team Composition:** "Who on your team has direct experience with AI/ML development, validation, or AI-specific risk management (e.g., ISO/IEC 23894)? Can we review their qualifications?" * **Medical Device & QMS Knowledge:** "Describe your team's experience with medical device quality management systems under ISO 13485 and the EU MDR/IVDR. How would you review our AI system's technical documentation for completeness?" * **High-Risk System Experience:** "What is your experience representing manufacturers of high-risk devices (Class IIb/III under MDR or High-Risk under the AI Act)? Can you provide case studies?" #### 2. Evaluate Combined Regulatory Competency The provider must be fluent in the languages of both data protection and market surveillance. **Key Questions to Ask:** * **Authority Interaction:** "Describe your experience interacting with both DPAs (like the Irish DPC or German BfDI) and MSAs (like national competent authorities for medical devices). How do their priorities and procedures differ?" * **Regulatory Monitoring:** "What is your process for monitoring updates to the AI Act, relevant harmonized standards, and GDPR guidance? How is this information communicated to clients?" * **Integrated Compliance:** "How do you approach a situation where an AI system's function (e.g., continuous patient monitoring) has implications for both the AI Act (performance, bias) and GDPR (data minimization, legal basis)?" #### 3. Scrutinize Contractual and Liability Frameworks The service agreement must be a robust legal document that anticipates potential failures in either domain. **Key Contractual Provisions to Verify:** * **Separation of Duties:** The contract should clearly define the scope of services under the GDPR mandate versus the AI Act mandate. * **Delineated Liability:** Liability clauses must be separate. The provider's liability for a GDPR-related fine should be distinct from their liability in the event of a product recall or harm caused by the AI system. * **Insurance Coverage:** Request evidence of professional indemnity insurance that explicitly covers both data privacy incidents and product compliance/safety responsibilities. * **Termination and Transition:** The agreement should outline a clear process for transitioning one or both representative roles to another provider if necessary. #### 4. Verify Operational Procedures for Incident Response A single incident can easily trigger obligations under both laws. For example, a cybersecurity breach in an AI-powered diagnostic tool could be both a personal data breach (GDPR) and a serious incident affecting device safety (AI Act/MDR). **Key Procedural Questions to Ask:** * **Incident Response Plan:** "Please provide your documented incident response plan. How does it address an event with overlapping GDPR and AI Act/MDR reporting obligations?" * **Chain of Command:** "In a crisis, who is our single point of contact? How does your team coordinate communications with both a DPA and an MSA simultaneously to ensure a consistent message?" * **Timelines:** "How does your system ensure that mandatory reporting timelines for both regulations (e.g., 72 hours for a GDPR breach, MDR vigilance timelines) are met concurrently?" ### Finding and Comparing Providers Finding a provider with the rare combination of deep data privacy law expertise and robust technical/medical device regulatory knowledge is a significant challenge. Using a specialized directory can help manufacturers identify and vet potential partners efficiently. When comparing providers, focus on evidence of their dual competency. Ask for case studies, team member credentials, and detailed procedural documents, not just marketing materials. To find qualified vetted providers [click here](https://cruxi.ai/regulatory-directories/gdpr_art27_rep) and request quotes for free. ### Key EU and Global Regulatory References While this article focuses on EU regulations, manufacturers often operate globally and must remain aware of requirements in other key markets. For example, in the United States, the FDA has its own distinct set of regulations and guidance documents that apply to medical devices, including those with AI/ML components. A globally-minded compliance strategy considers requirements from multiple authorities. Key references often consulted by global device manufacturers include: * **Cybersecurity in Medical Devices:** Guidance from authorities like the FDA provides a framework for managing cybersecurity risks, which is relevant for connected AI-enabled devices. * **FDA's Q-Submission Program Guidance:** This outlines processes for early engagement with the FDA, a principle that is mirrored in the EU by engaging deeply with Notified Bodies and potential Authorised Representatives. * **21 CFR Part 807, Subpart E:** These are the U.S. regulations for Premarket Notification (510(k)), a common pathway for medical devices, illustrating the type of product-focused regulatory frameworks an Authorised Representative must understand. --- This article is for general educational purposes only and is not legal, medical, or regulatory advice. For device-specific questions, sponsors should consult qualified experts and consider engaging FDA via the Q-Submission program. --- *This answer was AI-assisted and reviewed for accuracy by Lo H. Khamis.*