Do I need to appoint an Article 27 GDPR Representative?

The EU's data protection regulations (GDPR) can apply to businesses based outside the EU. Don't risk significant fines (up to €10,000,000 or 2% of your total worldwide revenue, whichever is greater) through non compliance.

This simple self-assessment will help you determine if you should appoint a GDPR EU Representative.

Article 27 GDPR Self Assessment

GDPR EU Representative Self Assessment

This simple 2 minute self-assessment will help determine if Article 27 applies to your business. It has been written with as little "legal-ese" as possible, to help make it easier. However, as with most regulations GDPR can be quite complex to interpret. Be sure to seek local legal advice if you are unsure.

GDPR EU Representative Self Assessment

Is your organisation a business?

It does not matter how big or small your business is, or how many employees it has. GDPR applies to businesses, and not to individuals acting in their personal capacity.

If your organisation is a “Public Authority” you do not need to appoint a GDPR representative.

Is your business “established” in the European Union, including the UK?

Does your business entity (and not a group company or any affiliate company) have a physical office or employees in the EU or has it appointed sales agents who are in the EU, including the UK?

The issue of being “established” is determined on a case by case basis, depending on the facts.

Does your business process personal data of any individuals in the EU, including the UK?

“process” includes using, transferring, modifying, holding, storing, archiving and backing up.

“personal data” includes any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly (i.e. when matched with other data that is currently available or may be available in the future), in particular by reference to an identifier such as a name, email address, an identification number, location data, an online identifier (e.g. IP address, geo locator, pixels that collect IP addresses) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data can be held electronically or in a structured (i.e. not randomly) organised manual filing system.

Does your business “offer” goods or services (including where no charge is made) to individuals in the EU, including the UK?

“Offer” includes using a website to offer your goods or service provided that your website is targeting the EU (i.e. the website has Euro or pound denominated pricing, the website text can display in any of the EU languages including English, or the website has testimonials from EU individuals.)

“Offer” does not include having a website which simply has your products and services advertised, but without “targeting” EU individuals.

Does your business monitor the behaviour of individuals who are in the EU, including the UK?

An example of “monitoring behaviour” would include:

  • where your business monitors the location of its employees or contractors in the EU (e.g. your employees have computers/phones and those computers/phones IP addresses are geo tracked for security reasons or other reasons);
  • behaviour based marketing;
  • market surveys and other behaviorally studies;
  • personalized diet or health studies;
  • monitoring or reporting on an individual’s health status.

Also you need to consider how your website operates. GDPR defines personal data very broadly and includes IP addresses, geo location data and similar data which is used by many websites, and especially website analytics tools to identify where devices that are using your website are located.

It does not matter whether the individual whose behaviour your business is monitoring are of EU citizenship or are living in the EU, the test is whether the individual is in the EU at the time of the monitoring.

Does your business processes personal data about EU individuals only “occasionally”, and not more frequently than that?

“Occasionally” means one-off, infrequent and not repetitive. So, for example, if your business is processing payroll data of EU individuals, or you are tracking the location and usage of users to your website through a website analytics program, or you actively receive orders for goods or services this would not be “occasional” use, and you should answer "No" to this Question.

Does your business do any large scale processing of special category data or criminal offence data, even occasionally?

“large scale” would include using website analytic with geo tracking of IP addresses for substantial numbers of people, or for example, CCTV coverage of public places.

“special category data” is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Is your business's processing of personal data of EU individuals likely to result in a risk of loss of privacy rights and freedoms to those individuals?

Even if your business only processes the personal data occasionally and even if it is not large scale processing of special category data or criminal offence data you should answer "Yes" if there's a likelihood of a risk of loss of privacy rights or freedoms.

Article 27 GDPR Self Assessment

Your business does not require a GDPR Representative

Based on the answers you provided your business is not required to appoint an EU Representative as described under Article 27 of GDPR.

Article 27 GDPR Self Assessment

Your business should appoint an Article 27 GDPR Representative

Based on the answers you provided, the requirement under Article 27 of GDPR to appoint an EU Representative applies to your business.

Non-compliance with Article 27 can result in a fine of up to €10,000,000 or 2% of your total worldwide revenue (whichever is greater).

Let us help

Compliance to Article 27 is relatively simple. All that is required is for you to appoint and maintain an EU GDPR Representative.

Select the size of your business in the form below to appoint Juksta as your Article 27 GDPR Representative today, and we will walk you through the process simply and easily. Prices start from only €19/per month, after a 30-day free trial.

Can we help you be compliant?

It is relatively easy to comply with Article 27. By appointing and maintaining a Representative you will be compliant.

We are happy to act on your behalf, as your Article 27 GDPR Representative. Our monthly, flat-fee price is based on the size of your business.

Select your business size to appoint us as your GDPR representative in the EU today.