Article 27 GDPR: Difference between revisions
m (→Commentary) |
|||
(28 intermediate revisions by 9 users not shown) | |||
Line 185: | Line 185: | ||
==Legal Text== | ==Legal Text== | ||
<br /><center>'''Article 27 - Representatives of controllers or processors not established in the Union'''</center | <br /><center>'''Article 27 - Representatives of controllers or processors not established in the Union'''</center> | ||
<span id="1">1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.</span> | <span id="1">1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.</span> | ||
Line 202: | Line 202: | ||
==Relevant Recitals== | ==Relevant Recitals== | ||
{{Recital/80 GDPR}} | |||
==Commentary== | ==Commentary== | ||
The aim of Article 27 GDPR is to ensure that the level of protection afforded to EU-based data subjects is not reduced where non-EU based controllers or processors process their data. This provision demands the existence a contact point for data subjects and intends to ensure that there is legal accountability for processing activities by mandating the appointment of a representative, unless one of the exemptions in Article 27(2) GDPR apply. This representative can be subject to enforcement proceedings in the event of non-compliance with the GDPR. Article 27 GDPR also helps to clarify the scope of obligations placed on controllers and processors based outside of the EU. | |||
<u>EDPB Guidelines:</u> for this Article see EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en here]). | |||
=== | ===(1) Conditions for applicability=== | ||
==== | ==== Where Article 3(2) applies ==== | ||
In case the territorial scope of [[Article 3 GDPR|Article 3(2) GDPR]] applies to a controller or processor not established in the Union (due to the processing of personal data of data subjects in the Union related to either the offering of goods or services to such data subjects or the monitoring of their behaviour in the Union),<ref>Article 3(2) GDPR can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behaviour of the data subjects within the Union.</ref> the controller or processor must designate a ''representative'' in the Union.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 23 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> | |||
{{Quote-EDPB|"Data controllers or processors subject to the GDPR as per its Article 3(2) are under the obligation to designate a representative in the Union. A controller or processor not established in the Union but subject to the GDPR failing to designate a representative in the Union would therefore be in breach of the Regulation."|EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 23.|4=https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en}} | |||
==== The controller or processor shall designate in writing ==== | |||
The obligation to designate a representative in the Union is directed at controllers and processors established outside of the union but performing some kind of processing targeting data subject in the Union (i.e. falling under [[Article 3 GDPR|Article 3(2) GDPR]]). If more than one processing activities of the controller or processor fall under Article 3(2) GDPR, it is sufficient to designate one representative. At the same time, one representative can act on behalf of one or more controllers and/or processors outside of the Union.<ref>EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 24 (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en here]).</ref> | |||
The designation of the representative must be done in writing. This is necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. However, this agreement could not be concluded by email.<ref>''Martini'', in Paal, Pauly, DS-GVO BDSG, Article 27, margin numbers 17-20 (C.H.Beck 2021, 3rd Edition).</ref> | |||
In practice, the function of ''representative in the Union'' can be exercised based on a contract concluded between the controller or processor and an individual or an organization, provided that the individual or organization is established in the Union. The role can be assumed by a wide range of commercial and non-commercial entities, such as law firms, consultancies, or private companies.''<ref>''Gola'', in Gola, Heckmann, DS-GVO, Article 4 GDPR, margin number 131 (C.H. Beck 2022).</ref>'' However, according to the EDPB, the role should not overlap with the DPO’s role given its requirement for independence.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 24 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> | |||
{{Quote-EDPB|"Similarly, given the possible conflict of obligation and interests in cases of enforcement proceedings, the EDPB does not consider the function of a data controller representative in the Union as compatible with the role of data processor for that same data controller, in particular when it comes to compliance with their respective responsibilities and compliance."|EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 24 et seq.|4=https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en}} | |||
==== | ==== Representative in the Union ==== | ||
Article | A representative is defined in [[Article 4 GDPR|Article 4(17) GDPR]] as a "a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation". | ||
The GDPR does not specify any particular requirements for the representative.<ref>Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what ''Millard'' and ''Kamarinou'' have labeled as enhancing the “''practical-procedural traction of the GDPR''”. See, ''Millard, Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).</ref> However, under [[Article 4 GDPR|Article 4(17) GDPR]], the representative must be capable of representing the controller or processor "with regard to their obligations under this Regulation".<ref>''Millard, Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).</ref> Therefore, the representative should act on behalf of the controller or processor according to the mandate received.<ref>Recital 80. </ref> The representative should also act as a (possible) point of contact for data subjects as well as for supervisory authorities<ref>Article 31 GDPR stipulates the representative's duty to cooperate, on request, with the supervisory authority. </ref> and should be able to provide documentation to the authorities like the record of processing activities.<ref>Article 30 GDPR stipulates the controller's or processor's obligation to maintain the record of processing activities; see also ''Ziebarth'', in Sydow, Marsch, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 202 (Nomos 2022, 3rd Edition).</ref> The information provided to data subjects under [[Article 13 GDPR|Articles 13(1)(a)]] and [[Article 14 GDPR|14(1)(a) GDPR]] must contain information of the controller's representative. | |||
Article 27 | {{Quote-example|A company established in the US is the provider of a webshop directed to data subjects in the Union. According to Article 27 GDPR the controller must designate a representative in the Union (in the on of the member states where the products are offered).}} | ||
The representative designated by the controller or processor should be subject to enforcement proceedings in case of non-compliance by the controller or the processor.<ref>Recital 80.</ref> However, the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> | |||
It remains unclear how compliance of the GDPR by entities not providing such a representative should be effectively ensured (e.g. regarding public authorities that are excluded from the designation of a representative).<ref>''Ziebarth'', in Sydow, Marsch, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2022, 3rd Edition).</ref> Arguably, also a voluntary designation of a representative is possible.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 5 (C.H. Beck 2024, 4th Edition).</ref> | |||
=== | It should be noted however, that the one-stop-shop mechanism ([[Article 60 GDPR|Article 60 et seqq. GDPR]]) is not applicable for controllers and processors outside of the Union. | ||
===(2) Exemptions=== | |||
==== | ==== The obligation shall not apply to... ==== | ||
Article 27( | The requirement to designate a representative is not absolute. Article 27(2) GDPR presents two instances in which the requirement to have a representative does not apply. These are (a) when the processing is occasional, does not include data covered by [[Article 9 GDPR]] or [[Article 10 GDPR]], and is unlikely to result in a risk to the rights and freedoms of natural persons, and (b) when the processing is done by a public authority or body. | ||
It should be noted that all processing activities of a controller under [[Article 3 GDPR|Article 3(2) GDPR]] should be considered; if just one of those activities does not fall under one of the exceptions below, a representative has to be designated for all processing activities under [[Article 3 GDPR|Article 3(2) GDPR]] (if not otherwise agreed upon).<ref>''Hartnung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 6 (C.H. Beck 2024, 4th Edition).</ref> | |||
Article | ====(a) Processing which is occasional and does not include data in the sense of [[Article 9 GDPR|Articles 9]] and [[Article 10 GDPR|10 GDPR]]==== | ||
The first exemption in Article 27(2)(a) GDPR states that the requirement to designate a representative does not apply if the processing meets three cumulative conditions: | |||
First, the processing must be "''occasional''". A processing activity can be considered occasional if it is not carried out regularly and is not part of the regular course of business or activity of the controller or processor.<ref>EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 25 (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en here]).</ref> In other words, occasional refers to a "non-systematic" processing, i.e. a processing happening on an ad hoc and infrequent basis and not in a regular way.<ref>''Millard, Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, p. 595 (Oxford University Press 2020).</ref> | |||
[[Article | Second, it must not include "''processing of special categories of data as referred to in [[Article 9 GDPR|Article 9(1)]] or processing of personal data relating to criminal convictions and offences referred to in [[Article 10 GDPR|Article 10]]''" on a large scale. What meaning should be assigned to the expression “''large scale''” is not entirely clear but considerations could include a temporal, quantitative or qualitative aspects.<ref>''Hartnung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 9 (C.H. Beck 2024, 4th Edition).</ref> Recital 91 mentions processing operations which aim to process "''a considerable amount of personal data'' [...] ''which could affect a large number of data subjects''". | ||
[ | {{Quote-EDPB|"[T] the following factors, in particular, be considered when determining whether the processing is carried out on a large scale: the number of data subjects concerned - either as a specific number or as a proportion of the relevant population; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; the geographical extent of the processing activity."|EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 25 et seq.|4=https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en}} | ||
Third, the processing must be "''unlikely to result in a risk to the rights and freedoms of natural persons''". Thus, processing activities with a (not unlikely) risk to data subjects can not be subject to this exception to delegate designate a representative in the Union. Recital 75 GDPR sets out that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both its likelihood and severity. This includes, ''inter alia'', risks of discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage. | |||
The unifying factor of these three (cumulative) conditions is the existence of processing which is in some way 'non-negligible' because of its scale, the data processed, or its possible negative consequences. In all the other cases, a representative in the Union must be appointed and the exemption in Article 27(1)(a) GDPR cannot apply. | |||
====(b) Processing carried out by a public authority or body ==== | |||
The second exemption to the requirement to designate a representative applies if the non-EU controller or processor is a public authority or body. The reason for this is exception is the territoriality principle in international law. According to this principle, no state has power or jurisdiction over another state and the Union cannot unilaterally impose requirements on another state or its public authorities.<ref>see ''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 11 (C.H. Beck 2024, 4th Edition) with critical remarks.</ref> | |||
[ | It is up for the supervisory authority to assess on a case-by-case basis what constitutes a public authority or body.<ref>EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 26 (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en here]).</ref> It should be considered whether the potential public authority or body processes personal data for their public purposes.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 11 (C.H. Beck 2024, 4th Edition).</ref> However, instances in which a public authority or body in a third country would be monitoring the behaviour of data subjects in the Union, or offering them goods or services, are likely to be limited.<ref>EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 26 (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en here]).</ref> | ||
===(3) Place of establishment of the representative=== | |||
Article 27(3) GDPR states that the representative of the controller or processor shall be established in one of the Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are located. | |||
{{Quote-EDPB|"In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice, that the representative is established in that same Member State. However, the representative must remain easily accessible for data subjects in Member States where it is not established and where the services or goods are being offered or where the behaviour is being monitored."|EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 26.|4=https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en}} | |||
[ | The main criterion for establishing where a representative should be designated is the location of the data subjects who are subject to the processing.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 26 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> One way to interpret this is in the event that there are two member states in which processing takes place, the country which has more data subjects who are subject to the processing should be the country in which the representative is established. However, the wording of the provision implies that the controller or processor is free to designate a representative in a Member State of his choice as long as some of the affected data subjects are in this member state.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 12 (C.H. Beck 2024, 4th Edition) with further reverences.</ref> | ||
===(4) Obligations and responsibilities of the representative=== | |||
While Article 27(1) GDPR mandates a designation of the representative in a written form, Article 27(4) GDPR specifies that the representative's mandate must include that the representative's competence to be addressed ''in addition to or instead of'' the controller or the processor by, in particular, supervisory authorities and data subjects, on ''all issues related to processing, for the purposes of ensuring compliance''" with the GDPR. The representative's mandate can also include other responsibilities not explicitly stated in the GDPR.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 27, margin number 49 (C.H. Beck 2021, 3rd Edition).</ref> | |||
Therefore, data subjects, supervisory authorities or any other party can address the representative on "''all issues related to processing''" in order to "ensure compliance with" the GDPR. This can be done "''in addition to or instead of''" addressing the controller or processor themselves. This wording seems to imply that the controller or processor mandating the representative can choose the respective scope of the representation (i.e. if the representative should by the sole or an additional point of contact).<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 15 (C.H. Beck 2024, 4th Edition); ''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition) with reference to a diverging opinion.</ref> In any way, this means that the main role of the representative is to serve as a(n additional) point of contact and be readily available for supervisory authorities, data subjects and other interested parties regarding data protection matters. | |||
[[Article | Regarding the communication with data subjects, the representative has to provide relevant information (as particularly stipulated in [[Article 13 GDPR|Articles 13(1)(a)]] and [[Article 14 GDPR|14(1)(a) GDPR]]), and facilitate inquiries by data subjects by, ''inter alia'', accepting documents or requests for the controller or processor. | ||
{{Quote-EDPB|"While not itself responsible for complying with data subject rights, the representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights are effective."|EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 27.|4=https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en}} | |||
Article 27(4) GDPR also stipulates that the representative must be mandated to be a point of contact for supervisory authorities. Recital 80 GDPR, clarifies that the representative should cooperate with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR. Such obligation is also mandated in [[Article 31 GDPR]]. | |||
{{Quote-EDPB|"In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of a controller or processor established outside the Union, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and a controller or processor established outside the Union."|EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 27.|4=https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en}} | |||
Under [[Article 30 GDPR]] the representative of the controller or processor must maintain a record of the processing activities performed by the controller or processor. However, the controller or processor themselves are responsible for updating the content of the record, and must provide the representative with up-to-date information.<ref>EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 27 (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en here]).</ref> At the same time, the representative must be ready to share this record which should also enable the representative to give more qualified responses to supervisory authorities as well as to data subjects.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 16 (C.H. Beck 2024, 4th Edition).</ref> | |||
To fulfil all of these responsibilities effectively, the representative may enlist the support of a team and ensure effective communication in the appropriate languages.<ref>EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 6 (available [https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en here]); ''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 15 (C.H. Beck 2024, 4th Edition).</ref> | |||
{{Quote-common-mistake|It should be noted that the position of a controller's or processor's representative is not compatible with the role of the same controller's or processor's DPO or (sub)processor.}} | |||
=== (5) Continued liability === | |||
Article 27(5) GDPR makes it very clear that the controller or processor cannot escape legal liability by designating a representative. | |||
{{Quote-EDPB|"[T]he designation of a representative in the Union does not affect the responsibility and liability of the controller or of the processor under the GDPR and shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves. The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union."|EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 6 (available).|4=https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en}} | |||
Indeed, it states that legal action can be initiated directly against the controller or processor. This notably happened in a case before the Austrian DPA, in which it chose to address a decision directly to a US company instead of its representative in the Netherlands, because “''Article 27(5) GDPR does not entail a transfer of responsibility''”.<ref>Datenschutzbehörde, 7 March 2019, DSB-D130.033/0003-DSB/2019 (available [https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Dsk&Dokumentnummer=DSBT_20190307_DSB_D130_033_0003_DSB_2019_00 here]).</ref> | |||
Direct liability of the representative is limited to the obligations set out in [[Article 30 GDPR|Article 30]] and [[Article 58 GDPR|Article 58(1)(a) GDPR]]; however, supervisory authorities can address corrective measures or administrative fines and penalties imposed on the controller or processor directly to the representative.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 28 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> | |||
==Decisions== | ==Decisions== | ||
→ You can find all related decisions in [[:Category:Article 27 GDPR]] | → You can find all related decisions in [[:Category:Article 27 GDPR]] |
Latest revision as of 12:58, 15 November 2024
Legal Text
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
2. The obligation laid down in paragraph 1 of this Article shall not apply to:
- (a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
- (b) a public authority or body.
3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Relevant Recitals
Commentary
The aim of Article 27 GDPR is to ensure that the level of protection afforded to EU-based data subjects is not reduced where non-EU based controllers or processors process their data. This provision demands the existence a contact point for data subjects and intends to ensure that there is legal accountability for processing activities by mandating the appointment of a representative, unless one of the exemptions in Article 27(2) GDPR apply. This representative can be subject to enforcement proceedings in the event of non-compliance with the GDPR. Article 27 GDPR also helps to clarify the scope of obligations placed on controllers and processors based outside of the EU.
EDPB Guidelines: for this Article see EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), (available here).
(1) Conditions for applicability
Where Article 3(2) applies
In case the territorial scope of Article 3(2) GDPR applies to a controller or processor not established in the Union (due to the processing of personal data of data subjects in the Union related to either the offering of goods or services to such data subjects or the monitoring of their behaviour in the Union),[1] the controller or processor must designate a representative in the Union.[2]
"Data controllers or processors subject to the GDPR as per its Article 3(2) are under the obligation to designate a representative in the Union. A controller or processor not established in the Union but subject to the GDPR failing to designate a representative in the Union would therefore be in breach of the Regulation."
The controller or processor shall designate in writing
The obligation to designate a representative in the Union is directed at controllers and processors established outside of the union but performing some kind of processing targeting data subject in the Union (i.e. falling under Article 3(2) GDPR). If more than one processing activities of the controller or processor fall under Article 3(2) GDPR, it is sufficient to designate one representative. At the same time, one representative can act on behalf of one or more controllers and/or processors outside of the Union.[3]
The designation of the representative must be done in writing. This is necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. However, this agreement could not be concluded by email.[4]
In practice, the function of representative in the Union can be exercised based on a contract concluded between the controller or processor and an individual or an organization, provided that the individual or organization is established in the Union. The role can be assumed by a wide range of commercial and non-commercial entities, such as law firms, consultancies, or private companies.[5] However, according to the EDPB, the role should not overlap with the DPO’s role given its requirement for independence.[6]
"Similarly, given the possible conflict of obligation and interests in cases of enforcement proceedings, the EDPB does not consider the function of a data controller representative in the Union as compatible with the role of data processor for that same data controller, in particular when it comes to compliance with their respective responsibilities and compliance."
Representative in the Union
A representative is defined in Article 4(17) GDPR as a "a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation".
The GDPR does not specify any particular requirements for the representative.[7] However, under Article 4(17) GDPR, the representative must be capable of representing the controller or processor "with regard to their obligations under this Regulation".[8] Therefore, the representative should act on behalf of the controller or processor according to the mandate received.[9] The representative should also act as a (possible) point of contact for data subjects as well as for supervisory authorities[10] and should be able to provide documentation to the authorities like the record of processing activities.[11] The information provided to data subjects under Articles 13(1)(a) and 14(1)(a) GDPR must contain information of the controller's representative.
For example: A company established in the US is the provider of a webshop directed to data subjects in the Union. According to Article 27 GDPR the controller must designate a representative in the Union (in the on of the member states where the products are offered).
The representative designated by the controller or processor should be subject to enforcement proceedings in case of non-compliance by the controller or the processor.[12] However, the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.[13]
It remains unclear how compliance of the GDPR by entities not providing such a representative should be effectively ensured (e.g. regarding public authorities that are excluded from the designation of a representative).[14] Arguably, also a voluntary designation of a representative is possible.[15]
It should be noted however, that the one-stop-shop mechanism (Article 60 et seqq. GDPR) is not applicable for controllers and processors outside of the Union.
(2) Exemptions
The obligation shall not apply to...
The requirement to designate a representative is not absolute. Article 27(2) GDPR presents two instances in which the requirement to have a representative does not apply. These are (a) when the processing is occasional, does not include data covered by Article 9 GDPR or Article 10 GDPR, and is unlikely to result in a risk to the rights and freedoms of natural persons, and (b) when the processing is done by a public authority or body.
It should be noted that all processing activities of a controller under Article 3(2) GDPR should be considered; if just one of those activities does not fall under one of the exceptions below, a representative has to be designated for all processing activities under Article 3(2) GDPR (if not otherwise agreed upon).[16]
(a) Processing which is occasional and does not include data in the sense of Articles 9 and 10 GDPR
The first exemption in Article 27(2)(a) GDPR states that the requirement to designate a representative does not apply if the processing meets three cumulative conditions:
First, the processing must be "occasional". A processing activity can be considered occasional if it is not carried out regularly and is not part of the regular course of business or activity of the controller or processor.[17] In other words, occasional refers to a "non-systematic" processing, i.e. a processing happening on an ad hoc and infrequent basis and not in a regular way.[18]
Second, it must not include "processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10" on a large scale. What meaning should be assigned to the expression “large scale” is not entirely clear but considerations could include a temporal, quantitative or qualitative aspects.[19] Recital 91 mentions processing operations which aim to process "a considerable amount of personal data [...] which could affect a large number of data subjects".
"[T] the following factors, in particular, be considered when determining whether the processing is carried out on a large scale: the number of data subjects concerned - either as a specific number or as a proportion of the relevant population; the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data processing activity; the geographical extent of the processing activity."
Third, the processing must be "unlikely to result in a risk to the rights and freedoms of natural persons". Thus, processing activities with a (not unlikely) risk to data subjects can not be subject to this exception to delegate designate a representative in the Union. Recital 75 GDPR sets out that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both its likelihood and severity. This includes, inter alia, risks of discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage.
The unifying factor of these three (cumulative) conditions is the existence of processing which is in some way 'non-negligible' because of its scale, the data processed, or its possible negative consequences. In all the other cases, a representative in the Union must be appointed and the exemption in Article 27(1)(a) GDPR cannot apply.
(b) Processing carried out by a public authority or body
The second exemption to the requirement to designate a representative applies if the non-EU controller or processor is a public authority or body. The reason for this is exception is the territoriality principle in international law. According to this principle, no state has power or jurisdiction over another state and the Union cannot unilaterally impose requirements on another state or its public authorities.[20]
It is up for the supervisory authority to assess on a case-by-case basis what constitutes a public authority or body.[21] It should be considered whether the potential public authority or body processes personal data for their public purposes.[22] However, instances in which a public authority or body in a third country would be monitoring the behaviour of data subjects in the Union, or offering them goods or services, are likely to be limited.[23]
(3) Place of establishment of the representative
Article 27(3) GDPR states that the representative of the controller or processor shall be established in one of the Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
"In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice, that the representative is established in that same Member State. However, the representative must remain easily accessible for data subjects in Member States where it is not established and where the services or goods are being offered or where the behaviour is being monitored."
The main criterion for establishing where a representative should be designated is the location of the data subjects who are subject to the processing.[24] One way to interpret this is in the event that there are two member states in which processing takes place, the country which has more data subjects who are subject to the processing should be the country in which the representative is established. However, the wording of the provision implies that the controller or processor is free to designate a representative in a Member State of his choice as long as some of the affected data subjects are in this member state.[25]
(4) Obligations and responsibilities of the representative
While Article 27(1) GDPR mandates a designation of the representative in a written form, Article 27(4) GDPR specifies that the representative's mandate must include that the representative's competence to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance" with the GDPR. The representative's mandate can also include other responsibilities not explicitly stated in the GDPR.[26]
Therefore, data subjects, supervisory authorities or any other party can address the representative on "all issues related to processing" in order to "ensure compliance with" the GDPR. This can be done "in addition to or instead of" addressing the controller or processor themselves. This wording seems to imply that the controller or processor mandating the representative can choose the respective scope of the representation (i.e. if the representative should by the sole or an additional point of contact).[27] In any way, this means that the main role of the representative is to serve as a(n additional) point of contact and be readily available for supervisory authorities, data subjects and other interested parties regarding data protection matters.
Regarding the communication with data subjects, the representative has to provide relevant information (as particularly stipulated in Articles 13(1)(a) and 14(1)(a) GDPR), and facilitate inquiries by data subjects by, inter alia, accepting documents or requests for the controller or processor.
"While not itself responsible for complying with data subject rights, the representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights are effective."
Article 27(4) GDPR also stipulates that the representative must be mandated to be a point of contact for supervisory authorities. Recital 80 GDPR, clarifies that the representative should cooperate with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR. Such obligation is also mandated in Article 31 GDPR.
"In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of a controller or processor established outside the Union, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and a controller or processor established outside the Union."
Under Article 30 GDPR the representative of the controller or processor must maintain a record of the processing activities performed by the controller or processor. However, the controller or processor themselves are responsible for updating the content of the record, and must provide the representative with up-to-date information.[28] At the same time, the representative must be ready to share this record which should also enable the representative to give more qualified responses to supervisory authorities as well as to data subjects.[29]
To fulfil all of these responsibilities effectively, the representative may enlist the support of a team and ensure effective communication in the appropriate languages.[30]
Common mistake: It should be noted that the position of a controller's or processor's representative is not compatible with the role of the same controller's or processor's DPO or (sub)processor.
(5) Continued liability
Article 27(5) GDPR makes it very clear that the controller or processor cannot escape legal liability by designating a representative.
"[T]he designation of a representative in the Union does not affect the responsibility and liability of the controller or of the processor under the GDPR and shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves. The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union."
Indeed, it states that legal action can be initiated directly against the controller or processor. This notably happened in a case before the Austrian DPA, in which it chose to address a decision directly to a US company instead of its representative in the Netherlands, because “Article 27(5) GDPR does not entail a transfer of responsibility”.[31]
Direct liability of the representative is limited to the obligations set out in Article 30 and Article 58(1)(a) GDPR; however, supervisory authorities can address corrective measures or administrative fines and penalties imposed on the controller or processor directly to the representative.[32]
Decisions
→ You can find all related decisions in Category:Article 27 GDPR
References
- ↑ Article 3(2) GDPR can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behaviour of the data subjects within the Union.
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 23 (available here).
- ↑ EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 24 (available here).
- ↑ Martini, in Paal, Pauly, DS-GVO BDSG, Article 27, margin numbers 17-20 (C.H.Beck 2021, 3rd Edition).
- ↑ Gola, in Gola, Heckmann, DS-GVO, Article 4 GDPR, margin number 131 (C.H. Beck 2022).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 24 (available here).
- ↑ Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what Millard and Kamarinou have labeled as enhancing the “practical-procedural traction of the GDPR”. See, Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).
- ↑ Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).
- ↑ Recital 80.
- ↑ Article 31 GDPR stipulates the representative's duty to cooperate, on request, with the supervisory authority.
- ↑ Article 30 GDPR stipulates the controller's or processor's obligation to maintain the record of processing activities; see also Ziebarth, in Sydow, Marsch, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 202 (Nomos 2022, 3rd Edition).
- ↑ Recital 80.
- ↑ Recital 80 sentence 5 GDPR.
- ↑ Ziebarth, in Sydow, Marsch, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2022, 3rd Edition).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 5 (C.H. Beck 2024, 4th Edition).
- ↑ Hartnung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 6 (C.H. Beck 2024, 4th Edition).
- ↑ EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 25 (available here).
- ↑ Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, p. 595 (Oxford University Press 2020).
- ↑ Hartnung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 9 (C.H. Beck 2024, 4th Edition).
- ↑ see Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 11 (C.H. Beck 2024, 4th Edition) with critical remarks.
- ↑ EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 26 (available here).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 11 (C.H. Beck 2024, 4th Edition).
- ↑ EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 26 (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 26 (available here).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 12 (C.H. Beck 2024, 4th Edition) with further reverences.
- ↑ Martini, in Paal, Pauly, DS-GVO, Article 27, margin number 49 (C.H. Beck 2021, 3rd Edition).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 15 (C.H. Beck 2024, 4th Edition); Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition) with reference to a diverging opinion.
- ↑ EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 27 (available here).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 16 (C.H. Beck 2024, 4th Edition).
- ↑ EDPB, 'Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)', 12 November 2019 (Version 2.1), page 6 (available here); Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 15 (C.H. Beck 2024, 4th Edition).
- ↑ Datenschutzbehörde, 7 March 2019, DSB-D130.033/0003-DSB/2019 (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 28 (available here).