Does your business need to appoint an Article 27 GDPR Representative?

What is a GDPR EU representative?

A GDPR representative is a special type of organisation prescribed by Art 27 of the EU Privacy Law, known as GDPR, whose role is to allow EU based people (usually your EU customers and the EU regulators) who want to communicate with your business about a privacy related matter under GDPR to do so.

The GDPR representative must facilitate those communications to and from EU based people and your business, although it is quite lawful for people to contact you directly as well, or instead of, going via your EU representative.

The representative must be based in an EU country.

When do you need one?

Your business will need a GDPR representative if:

  1. it is subject to GDPR; and
  2. it does not have a "presence" in the EU; and
  3. its' processing of "personal data" (as defined under GDPR) is not "occasional".

Public bodies who are subject to GDPR do not need to appoint a representative.

How do you know if your business is subject to GDPR?

GDPR, by law, applies to any business (irrespective of size) if any one of the following apply:

  • the business has a "presence" in the EU; OR
  • the business offers goods or services to individuals in the EU (whether at a fee or not), this includes having a website that targets people in the EU, such as using Euro denominated pricing, testimonials from EU people or EU language options; OR
  • the business monitors behaviour of individuals in the EU (which includes using analytics software on a website that tracks IP addresses of EU based devices).

The word "presence" is not defined in GDPR, and will be decided by the courts based on all the circumstances at the time, but it is likely to include:

  • having an office location in an EU country; and
  • having employees (and possibly contractors/sales agents) in the EU who are representing your business on a regular basis.

Other guiding factors will be whether or not the business has a bank account in the EU, whether the business has other physical infrastructure, such as servers, in the EU, and whether the business has a "Permanent Establishment" for tax purposes in the EU.

The word "occasional" is not defined in GDPR, but repetitive processing, such as processing a payroll, is unlikely to be "occasional", and businesses running website analytics on persons in the EU is highly unlikely to be "occasional".

Risk of non-compliance

Non compliance with Article 27 exposes business to significant administrative fines. A business which fails to appoint a nominated GDPR representative when required to do so faces a potential fine of up to €10 million euros or 2% of global annual turnover, whichever is greater.

Summary

If your business has no presence in the EU and offer goods and services to individuals in the EU, or monitors the behaviour of individuals in the EU then GDPR applies to your business and you should appoint a GDPR Representative.

Company Groups and Franchises

As each legal entity is viewed separately, and must comply separately, if there is a number of companies in the same group of companies, or there is a franchise with each franchisee being a separate legal entity, then it is necessary to apply the test to each separate legal entity in that group or franchise.

This may mean that in a group of companies all the subsidiaries or entities that are outside the EU each need a GDPR representative or that the franchisor and each franchisee outside the EU will each need a GDPR representative.

Brexit and Article 27

There are a number of important consequences of the UK leaving the EU on the role of the GDPR Representative. Including:

  • UK businesses may need to appoint a GDPR Representative
  • Non-UK businesses may need to appoint a UK Representative
  • Businesses currently using a UK entity as their GDPR Representative may need to replace them.

See our article on Brexit and Article 27 Representatives for additional details.

Can we help you be compliant?

It is relatively easy to comply with Article 27. By appointing and maintaining a Representative you will be compliant.

We are happy to act on your behalf, as your Article 27 GDPR Representative. Our monthly, flat-fee price is based on the size of your business.

Select your business size to appoint us as your GDPR representative in the EU today.