The EU's data protection regulations (GDPR) can apply to businesses based outside the EU.
Don't risk significant fines (up to €10,000,000 or 2% of your total worldwide revenue, whichever
is greater) through non compliance.
This simple self-assessment will help you determine if you should appoint a GDPR EU Representative.
This simple 2 minute self-assessment will help determine if Article 27 applies to your business.
It has been written with as little "legal-ese" as possible, to help make it easier.
However, as with most regulations GDPR can be quite complex to interpret. Be sure to seek local
legal advice if you are unsure.
Is your organisation a business?
It does not matter how big or small your business is, or how many employees it has.
GDPR applies to businesses, and not to individuals acting in their personal capacity.
If your organisation is a “Public Authority” you do not need to appoint a GDPR
Is your business “established” in the European Union, including the UK?
Does your business entity (and not a group company or any affiliate company) have a
physical office or employees in the EU or has it appointed sales agents who are in
the EU, including the UK?
The issue of being “established” is determined on a case by case basis, depending
on the facts.
Does your business process personal data of any individuals in the EU,
including the UK?
“process” includes using, transferring, modifying, holding, storing, archiving
and backing up.
“personal data” includes any information relating to an identified or identifiable
natural person; an identifiable natural person is one who can be identified,
directly or indirectly (i.e. when matched with other data that is currently
available or may be available in the future), in particular by reference to an
identifier such as a name, email address, an identification number, location data,
an online identifier (e.g. IP address, geo locator, pixels that collect IP
addresses) or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person.
Personal data can be held electronically or in a structured (i.e. not randomly)
organised manual filing system.
Does your business “offer” goods or services (including where no charge is made) to
individuals in the EU, including the UK?
“Offer” includes using a website to offer your goods or service provided that
your website is targeting the EU (i.e. the website has Euro or pound denominated
pricing, the website text can display in any of the EU languages including English,
or the website has testimonials from EU individuals.)
“Offer” does not include having a website which simply has your products and
services advertised, but without “targeting” EU individuals.
Does your business monitor the behaviour of individuals who are in the EU, including
An example of “monitoring behaviour” would include:
Also you need to consider how your website operates. GDPR defines personal data
very broadly and includes IP addresses, geo location data and similar data which
is used by many websites, and especially website analytics tools to identify where
devices that are using your website are located.
It does not matter whether the individual whose behaviour your business is
monitoring are of EU citizenship or are living in the EU, the test is whether
the individual is in the EU at the time of the monitoring.
Does your business processes personal data about EU individuals only
“occasionally”, and not more frequently than that?
“Occasionally” means one-off, infrequent and not repetitive. So, for example,
if your business is processing payroll data of EU individuals, or you are tracking
the location and usage of users to your website through a website analytics
program, or you actively receive orders for goods or services this would not be
“occasional” use, and you should answer "No" to this
Does your business do any large scale processing of special category
data or criminal offence data, even occasionally?
“large scale” would include using website analytic with geo tracking of IP addresses
for substantial numbers of people, or for example, CCTV coverage of public places.
“special category data” is personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, or trade union membership,
and the processing of genetic data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or data concerning a natural
person’s sex life or sexual orientation.
Is your business's processing of personal data of EU individuals
likely to result in a risk of loss of privacy rights and freedoms to those
Even if your business only processes the personal data occasionally
and even if it is not large scale processing of special category data or criminal
offence data you should answer "Yes" if there's a likelihood of a risk of loss of privacy
rights or freedoms.
Based on the answers you provided your business is not
required to appoint an EU Representative as described under Article 27 of GDPR.
Based on the answers you provided, the requirement under Article 27 of GDPR
to appoint an EU Representative applies to your business.
Non-compliance with Article 27 can result in a fine of up to €10,000,000 or 2% of your total
worldwide revenue (whichever is greater).
Let us help
Compliance to Article 27 is relatively simple. All that is required is for you to appoint and maintain
an EU GDPR Representative.
Select the size of your business in the form below to appoint Juksta as your Article 27 GDPR Representative today, and
we will walk you through the process simply and easily.
Prices start from only €19/per month, after a 30-day free trial.
It is relatively easy to comply with Article 27. By appointing and maintaining a
Representative you will be compliant.
We are happy to act on your behalf, as your Article 27 GDPR Representative. Our
monthly, flat-fee price is based on the size of your business.
Select your business size to appoint us as your GDPR representative in the EU today.