Article 27 – A summary
Article 27 of the General Data Protection Regulation requires that Organisations that process EU residents’ data, but that are established outside of the EU, must formally appoint a representative under Article 27 of the GDPR in the European Union to represent them on data protection matters.
If you are processing personal data connected to
(A) The offering of goods or services, regardless of whether payment is required, to persons in the EU
(B) The monitoring of such person’s behaviour, if that behaviour takes place in the EU
Then under Art. 27 (1) GDPR, you must designate in writing a representative in the EU.
“Representative” means a natural or legal person established in the EU who, designated by the controller or processor in writing, represents the controller or processor with regard to their respective obligations under the GDPR.
For example, if you are a US company not domiciled in the EU, the processing of the data of EU citizens that is connected with the provision of goods or services within the EU, then an EU- Based Representative is necessary.
A recent case in Austria against a US company, pursuant to Art. 27 (4) GDPR highlighted some key points around EU Representatives;
- Because the US company was based outside the EU, but their business was involved in the sale of goods to EU citizens, an EU- Based Representative was needed.
- Therefore, the EU- Based Representative was a necessary conduit for the proceedings, but the US company was still the liable party. Accordingly the authority stated that “Pursuant to Art. 27 (5) GDPR, the present decision of the data protection authority is directed against the [US company]”.
The European Representative has several key responsibilities;
- Maintaining records: The EU- Based Representative must maintain records of processing activities for the non-EU based company (which is the one that has to prepare and provide such records, pursuant to Article 30).
- Co-Operation and Liaison with supervisory authorities: The nominated EU- Based Representative, as shown in this case, is usually the first point of contact in case of a breach, and they must co-operate with the supervisory authorities in the EU.