Does your business need to appoint an Article 27 GDPR Representative?

  1. Home
  2. Knowledge Base
  3. Does your business need to appoint an EU Representative?

What is a GDPR EU representative?

A GDPR representative is a special type of organisation prescribed by Art 27 of the EU Privacy Law, known as GDPR, whose role is to allow EU based people (usually your EU customers and the EU regulators) who want to communicate with your business about a privacy related matter under GDPR to do so.

The GDPR representative must facilitate those communications to and from EU based people and your business, although it is quite lawful for people to contact you directly as well, or instead of, going via your EU representative.

The representative must be based in an EU country.

When do you need one?

Your business will need a GDPR representative if:

  1. it is subject to GDPR; and
  2. it does not have a "presence" in the EU; and
  3. its' processing of "personal data" (as defined under GDPR) is not "occasional".

Public bodies who are subject to GDPR do not need to appoint a representative.

How do you know if your business is subject to GDPR?

GDPR, by law, applies to any business (irrespective of size) if any one of the following apply:

  • the business has a "presence" in the EU; OR
  • the business offers goods or services to individuals in the EU (whether at a fee or not), this includes having a website that targets people in the EU, such as using Euro denominated pricing, testimonials from EU people or EU language options; OR
  • the business monitors behaviour of individuals in the EU (which includes using analytics software on a website that tracks IP addresses of EU based devices).

The word "presence" is not defined in GDPR, and will be decided by the courts based on all the circumstances at the time, but it is likely to include:

  • having an office location in an EU country; and
  • having employees (and possibly contractors/sales agents) in the EU who are representing your business on a regular basis.

Other guiding factors will be whether or not the business has a bank account in the EU, whether the business has other physical infrastructure, such as servers, in the EU, and whether the business has a "Permanent Establishment" for tax purposes in the EU.

The word "occasional" is not defined in GDPR, but repetitive processing, such as processing a payroll, is unlikely to be "occasional", and businesses running website analytics on persons in the EU is highly unlikely to be "occasional".

Risk of non-compliance

Non compliance with Article 27 exposes business to significant administrative fines. A business which fails to appoint a nominated GDPR representative when required to do so faces a potential fine of up to €10 million euros or 2% of global annual turnover, whichever is greater.

Summary

If your business has no presence in the EU and offer goods and services to individuals in the EU, or monitors the behaviour of individuals in the EU then GDPR applies to your business and you should appoint a GDPR Representative.

Company Groups and Franchises

As each legal entity is viewed separately, and must comply separately, if there is a number of companies in the same group of companies, or there is a franchise with each franchisee being a separate legal entity, then it is necessary to apply the test to each separate legal entity in that group or franchise.

This may mean that in a group of companies all the subsidiaries or entities that are outside the EU each need a GDPR representative or that the franchisor and each franchisee outside the EU will each need a GDPR representative.

Brexit and Article 27

There are a number of important consequences of the UK leaving the EU on the role of the GDPR Representative. Including:

  • UK businesses may need to appoint a GDPR Representative
  • Non-UK businesses may need to appoint a UK Representative
  • Businesses currently using a UK entity as their GDPR Representative may need to replace them.

See our article on Brexit and Article 27 Representatives for additional details.

Let's make you compliant

It is relatively easy to comply with both EU GDPR and UK GDPR representative requirements. By appointing and maintaining both an EU and a UK representative you will be compliant in both jurisdictions.

We are happy to act on your behalf, as your GDPR representative. Our monthly, flat-fee price is based on the size of your business.

Select your business size to appoint us as your GDPR representative in the EU & UK today.

Cookies

We use cookies to ensure that we give you the best experience on our website, to personalise our content and ads, analyse our site traffic and provide social media features. You consent to our cookies if you continue to use our website.
Essential
Analytics
Marketing

Essential cookies assist in making our website usable by providing functions such as navigation or access to secure areas of the site. They also may be used to help comply with legal requirements, such as GDPR. This website cannot function correctly without these cookies.

Name Provider Purpose Expiry Type
XSRF-TOKEN juksta.eu Helps prevent Cross-Site Request Forgery (CSRF) attacks. Session HTTP Cookie
juksta_session juksta.eu Preserves users states across page requests. Session HTTP Cookie
juksta_represent_session juksta.eu Preserves users states across page requests. Session HTTP Cookie
init_cookie_consent juksta.eu Helps manage cookie types preferences. 7300 days HTTP Cookie
cookie_consent juksta.eu Keep user selected cookie types. 7300 days HTTP Cookie
_ga Google Analytics Registers a Unique Identifer, used to generate statistical data on how the visitor uses the website for Google Analytics. 2 years HTTP Cookie
_gid Google Analytics Registers a Unique Identifer, used to generate statistical data on how the visitor uses the website for Google Analytics. 1 day HTTP Cookie
_gat_* Google Analytics Used by Google Analytics to throttle request rates, which means that it limits the collection of data on high traffic sites. 1 day HTTP Cookie

Analytic cookies help owners understand how visitors interact with their sites by collecting and reporting information.

Marketing cookies are used by 3rd parties to track users across websites with the intent to display advertising targeted to the individual user. There are no marketing cookies used by this website.