Article 27 GDPR: Difference between revisions
Line 208: | Line 208: | ||
===(1) Conditions for Applicability=== | ===(1) Conditions for Applicability=== | ||
Where [[Article 3 GDPR|Article 3(2) GDPR]] applies<ref>[https://gdprhub.eu/index.php%3Ftitle=Article_3_GDPR Article 3(2) GDPR] can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behavior of the data subjects within the Union.</ref>, the controller or processor must designate a representative in the Union. | |||
The designation must be done in written form.<ref>Some commentators argue that the mandate must be in writing in order to be valid. This would be necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. In this sense, this agreement could not be concluded by simple email. See, ''Martini'', in Paal & Pauly, DS-GVO Art. 27, margin numbers 17-20 (3rd ed., C.H.Beck 2021).</ref> The GDPR does not specify any particular requirements for the representative. Accordingly, it can be any natural or legal person capable of representing the interests of the controller or processor. In this sense, it is argued, the representative should at least be able to fulfil its obligations under the GDPR.<ref>In particular, handling requests from data subjects. ''Martini'', in Paal & Pauly, DS-GVO Art. 27, margin numbers 25 (3rd ed., C.H.Beck 2021).</ref> | |||
explicitly assigned to act on the behalf of the controller or processor with regard to their obligations under the GDPR.<ref>''Millard, Kamarinou'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).</ref> The representative must also cooperate with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR. The representative can be a natural or legal person that is established in the Union, as per [[Article 4 GDPR|Article 4(17) GDPR]]. | |||
===(2) Exemptions=== | ===(2) Exemptions=== |
Revision as of 17:04, 15 February 2022
Legal Text
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
2. The obligation laid down in paragraph 1 of this Article shall not apply to:
- (a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
- (b) a public authority or body.
3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Relevant Recitals
Commentary of Article 27
The aim of Article 27 GDPR is to ensure that the level of protection afforded to data subjects based in the union is not reduced in instances where non-EU based controllers or processors process their data. It aims to provide a contact point for data subjects, while ensuring simultaneously that there is legal accountability for the processing activities, achieved through the provision of a representative. This representative can be subject to enforcement proceedings in the event of non-compliance with the GDPR. Article 27 GDPR also helps to clarify the scope of obligations that is placed on controllers and processors based outside of the union.
(1) Conditions for Applicability
Where Article 3(2) GDPR applies[1], the controller or processor must designate a representative in the Union.
The designation must be done in written form.[2] The GDPR does not specify any particular requirements for the representative. Accordingly, it can be any natural or legal person capable of representing the interests of the controller or processor. In this sense, it is argued, the representative should at least be able to fulfil its obligations under the GDPR.[3]
explicitly assigned to act on the behalf of the controller or processor with regard to their obligations under the GDPR.[4] The representative must also cooperate with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR. The representative can be a natural or legal person that is established in the Union, as per Article 4(17) GDPR.
(2) Exemptions
Article 27 GDPR begins with the blanket requirement that where a controller or processor fulfils the conditions laid out in Article 3(2) GDPR, a representative established in the Union must be designated in writing. Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what Millard and Kamarinou have labeled as enhancing the “practical-procedural traction of the GDPR”.[5]
The requirement to designate a representative is, however, not absolute. Immediately in Article 27(2) GDPR, exemptions to this requirement are presented.
Article 27(2) GDPR presents two instances in which the requirement to have a representative does not apply. These are (1) when the processing is occasional and does not include Article 9 GDPR or Article 10 GDPR data, and is unlikely to result in a risk to the rights and freedoms of natural persons, and (2) when the processing is done by a public authority or body.
(a) Processing Which is Occasional and Does Not Include Data in the Sense of Articles 9 and 10 GDPR
Article 27(2)(a) GDPR states that the requirement to designate a representative does not apply if the processing is "occasional". The term has been interpreted by the WP29 to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor.[6] Similarly, Millard and Kamarinou have interpreted the term "occasional" to mean "non-systematic" processing,[7] or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular way.
Article 27(2)(a) GDPR also specifies that the processing must be “unlikely to result in a risk to the rights and freedoms of a natural person”. Recital 75 GDPR specifies that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both the likelihood and the severity of the envisioned risk.
(b) Processing Carried Out by a Public Authority or Body
The second exemption to the requirement to designate a representative applies if the non-EU controller or processor is a public authority or body. It is up for the supervisory authority to assess on a case-by-case basis what a public authority or body constitutes. However, instances in which a public authority or body in a third country would be monitoring the behaviour of data subjects in the union, or offering them goods or services, are likely to be limited.
(3) Place of Establishment of the Representative
Article 27(3) GDPR states that the representative of the controller or processor shall be established in one of the Member States where the data subject has had goods or services offered to them or has had their behaviour monitored. The EDPB has made the recommendation that “where a significant proportion of data subjects whose personal data are processed are located in one particular Member State […] the representative is established in that same Member State”. The main criterion for establishing where a representative should be designated is the location of the data subjects who are subject to the processing.[8] One way to interpret this is in the event that there are two member states in which processing takes place, the country which has more data subjects who are subject to the processing should be the country in which the representative is established.
(4) Obligations and Responsibilities of the Representative
Article 27(4) GDPR stipulates that the representative shall be responsible for complying with the GDPR in regards to the processing activities that take place. However, the EDPB guidelines on the territorial scope of the GDPR state that the direct liability of the representative is limited to the obligations that are set out in Article 30 GDPR and in Article 58(1)(a) GDPR. Under Article 30 GDPR the representative of the controller or processor must maintain a record of the processing activities done by the controller or processor. However, the controller or processor themselves are responsible for updating the content of the record, and must provide the representative with up-to-date information. At the same time, the representative must be ready to provide this record. The EDPB has also confirmed that the representative must be in a position where they can effectively communicate with data subjects and cooperate with supervisory authorities.[9]
(5) Continued Liability
However, Article 27(5) GDPR makes very clear that the controller or processor cannot escape legal liability solely by virtue of designating a representative. In fact, Article 27(5) GDPR states that legal action can be initiated directly against the controller or processor. Indeed, this happened in a case before the Austrian Data Protection Authority, in which the DPA chose to address a decision directly to a US company, instead of its representative in the Netherlands, because “Article 27(5) GDPR does not entail a transfer of responsibility”.[10]
Decisions
→ You can find all related decisions in Category:Article 27 GDPR
References
- ↑ Article 3(2) GDPR can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behavior of the data subjects within the Union.
- ↑ Some commentators argue that the mandate must be in writing in order to be valid. This would be necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. In this sense, this agreement could not be concluded by simple email. See, Martini, in Paal & Pauly, DS-GVO Art. 27, margin numbers 17-20 (3rd ed., C.H.Beck 2021).
- ↑ In particular, handling requests from data subjects. Martini, in Paal & Pauly, DS-GVO Art. 27, margin numbers 25 (3rd ed., C.H.Beck 2021).
- ↑ Millard, Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).
- ↑ Millard, Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).
- ↑ WP29, position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR, p. 2. This position paper was endorsed by the EDPB.
- ↑ Millard, Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, p. 595 (Oxford University Press 2020).
- ↑ EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 26.
- ↑ EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 26.
- ↑ Datenschutzbehörde, 7 March 2019, DSB-D130.033/0003-DSB/2019 (available here https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Dsk&Dokumentnummer=DSBT_20190307_DSB_D130_033_0003_DSB_2019_00).