Article 27 GDPR Representative

Are you required by Article 27 of the General data protection regulation (GDPR) to appoint an EU representative?

If your business is not established in the EU and offers goods or services to, or is monitoring the behaviour of EU residents, then GDPR Art 27 almost certainly requires you to appoint a representative.

Failure to comply with Article 27 may result in a risk of regulatory fines of up to €10,000,000 or 2% of your global turnover (whichever is greater).

START FREE TRIAL TODAY
Article 27 GDPR representative

Not sure if Article 27 of GDPR requires you to appoint a representative? Take our free 2-minute self-assessment.

Our representative service

Article 27 GDPR representative

When you appoint Juksta to act as your representative in the European Economic Area (EEA), our services include:

  • Use of our EU based business address as your GDPR representative address.
  • Be named as your point of contact for the EEA in your privacy notices.
  • Be addressed on all requests relating to your personal data processing activities from EU data protection authorities and data subjects.
  • Provide you with a data subject access request (DSAR) portal to assist you with processing requests from data protection authorities and data subjects.
  • Maintain records of processing activities relating to your personal data processing requests, as required by article 30 of GDPR.

Why do you need to appoint a representative?

Firstly, many businesses outside the EU are surprised to learn that the General Data Protection Regulation (GDPR) may also apply to them, not just EU companies.

Article 3 (2) of GDPR sets out that GDPR applies to data controllers or processors not established in the Union when they are processing personal data of data subjects who are in the Union, and the processing activities relate to:

  • a) the offering of goods or services, irrespective of whether a payment of the data subject is required; or
  • b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

If your business is outside the EU and you do either of these, then GDPR applies to you.

Secondly, Article 27 GDPR requires the appointment of an EU representative for businesses not established in the EU.

Article 27 (1) requires that data controllers or processors not established in the Union, which GDPR applies to, shall designate a representative in the Union. Article 27 (3) requires the representative to be in one of the EU member states where the businesses data subjects, whose personal data is processed or whose behaviour is monitored, reside.

Thirdly, GDPR is a significant regulatory compliance risk to your business.

By December 2018 the total amount of GDPR related fines was less than €500,000, whereas by December 2019 fines exceeded €400,000,000. The message from regulators in EU member states is clear; the honeymoon is over. Compliance with GDPR is a requirement and regulators are actively enforcing.

With fines of up to €10,000,000 or 2% of total revenue (whichever is greater) non-compliance represents a significant financial risk to your business, and should not be ignored.

To summarise:

If your business is outside the EU and you offer goods or services to EU residents, or monitor EU residents behaviour (e.g. web analytics) then you more than likely are required to appoint an Article 27 GDPR representative. This representative must be in the EU. And if you choose not to appoint a representative, you may be exposing your business to significant regulatory risk.

Are there any exemptions?

Yes, there is one exemption. Article 27 (2) states:

"The obligation laid down in paragraph 1 of this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body."

If your organisation can demonstrate the processing of personal data is "occasional" and unlikely to result in a risk to the rights and freedoms of natural persons, then it is doubtful you are required to appoint a representative. The European Data Protection Board (EDPB) provides the following assistance in interpreting what is meant by "occasional":

"In line with positions taken previously by the Article 29 Working Party, the EPDB considers that a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor." - see Guidelines 3/2018, published November 2019

If you determine your processing is "occasional", you should document your decision and be prepared to prove that position. If you are unsure in any way, it may be worth considering the cost and risk of this position in comparison to the cost of appointing a representative.

Is this the same as a Data Protection Officer?

No, the role of a data representative is not the same as a Data Protection Officer (DPO) and comes with a separate set of responsibilities.

A DPO is an integral part of your organisations GDPR compliance program, with responsibilities to independently oversee data protection strategies, educate staff and assess and ensure GDPR compliance. Whereas, the representatives' primary purpose is to act on behalf of the data controller or processor to facilitate communication with EU data subjects on all issues relating to your personal data processing activities, as well as communication from supervisory authorities.

In November 2019 the European Data Protection Board (EDPB) published guidelines stating they do not consider the function of representative compatible with the role of an external DPO:

"Such requirement for a sufficient degree of autonomy and independence of a data protection officer does not appear to be compatible with the function of representative in the Union. The representative is indeed subject to a mandate by a controller or processor and will be acting on its behalf and therefore under its direct instruction. The representative is mandated by the controller or processor it represents, and therefore acting on its behalf in exercising its task, and such a role cannot be compatible with the carrying out of duties and tasks of the data protection officer in an independent manner."

If you have already engaged an external DPO, you should appoint a different provider to act as your representative.

Benefits of appointing Juksta as your EU representative

Article 27 GDPR Compliance

Appointing an EU representative ensures compliance with Art 27 GDPR and eliminates the risk of a significant regulatory fine for not having a representative.

Customer Confidence

Demonstrate to customers your commitment to their rights to be informed about the collection and use of their personal data.

Article 30 GDPR Compliance

Personal data processing activities, related to data subject access requests made via our system, are recorded to be compliant to Article 30 (1) & (2).

Simple Registration

Just register with our service online to appoint us as your GDPR representative in the EU. Takes less than 5 minutes.

No Lock-in contracts

Services are provided month-to-month, with no long term subscriptions. You can exit at anytime, with no additional fees or charges.

Free trial, low monthly fees

Try the service free for 30 days with no obligation to proceed and no requirement to provide your credit card. If you continue fees start from only €19 a month.

Can we help you be compliant?

It is relatively easy to comply with Article 27. By appointing and maintaining a Representative you will be compliant.

We are happy to act on your behalf, as your Article 27 GDPR Representative. Our monthly, flat-fee price is based on the size of your business.

Select your business size to appoint us as your GDPR representative in the EU today.