Article 27 GDPR
Legal Text
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
2. The obligation laid down in paragraph 1 of this Article shall not apply to:
- (a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
- (b) a public authority or body.
3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Relevant Recitals
Commentary of Article 27
The aim of Article 27 GDPR is to ensure that the level of protection afforded to data subjects based in the union is not reduced in instances where non-EU based controllers or processors process their data. It aims to provide a contact point for data subjects, while ensuring simultaneously that there is legal accountability for the processing activities, achieved through the provision of a representative. This representative can be subject to enforcement proceedings in the event of non-compliance with the GDPR. Article 27 GDPR also helps to clarify the scope of obligations that is placed on controllers and processors based outside of the union.
(1) Conditions for Applicability
Article 27 applies where the requirements in Article 3(2) GDPR have been fulfilled.[1] In other words, Article 27 GDPR is designed to catch non-EU based controllers and processors who process the data of data subjects in the EU.[2] In such case, the controller or processor must designate a representative in the Union by a written mandate. In this designation, the representative should be explicitly assigned to act on the behalf of the controller or processor with regard to their obligations under the GDPR.[3] The representative must also cooperate with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR. The representative can be a natural or legal person that is established in the Union, as per Article 4(17) GDPR.
(2) Exemptions
Article 27 GDPR begins with the blanket requirement that where a controller or processor fulfils the conditions laid out in Article 3(2) GDPR, a representative established in the Union must be designated in writing. Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what Millard and Kamarinou have labeled as enhancing the “practical-procedural traction of the GDPR”.[4]
The requirement to designate a representative is, however, not absolute. Immediately in Article 27(2) GDPR, exemptions to this requirement are presented.
Article 27(2) GDPR presents two instances in which the requirement to have a representative does not apply. These are (1) when the processing is occasional and does not include Article 9 GDPR or Article 10 GDPR data, and is unlikely to result in a risk to the rights and freedoms of natural persons, and (2) when the processing is done by a public authority or body.
(a) Processing Which is Occasional and Does Not Include Data in the Sense of Articles 9 and 10 GDPR
Article 27(2)(a) GDPR states that the requirement to designate a representative does not apply if the processing is "occasional". The term has been interpreted by the WP29 to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor.[5] Similarly, Millard and Kamarinou have interpreted the term "occasional" to mean "non-systematic" processing,[6] or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular way.
Article 27(2)(a) GDPR also specifies that the processing must be “unlikely to result in a risk to the rights and freedoms of a natural person”. Recital 75 GDPR specifies that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both the likelihood and the severity of the envisioned risk.
(b) Processing Carried Out by a Public Authority or Body
The second exemption to the requirement to designate a representative applies if the non-EU controller or processor is a public authority or body. It is up for the supervisory authority to assess on a case-by-case basis what a public authority or body constitutes. However, instances in which a public authority or body in a third country would be monitoring the behaviour of data subjects in the union, or offering them goods or services, are likely to be limited.
(3) Place of Establishment of the Representative
Article 27(3) GDPR states that the representative of the controller or processor shall be established in one of the Member States where the data subject has had goods or services offered to them or has had their behaviour monitored. The EDPB has made the recommendation that “where a significant proportion of data subjects whose personal data are processed are located in one particular Member State […] the representative is established in that same Member State”. The main criterion for establishing where a representative should be designated is the location of the data subjects who are subject to the processing.[7] One way to interpret this is in the event that there are two member states in which processing takes place, the country which has more data subjects who are subject to the processing should be the country in which the representative is established.
(4) Obligations and Responsibilities of the Representative
Article 27(4) GDPR stipulates that the representative shall be responsible for complying with the GDPR in regards to the processing activities that take place. However, the EDPB guidelines on the territorial scope of the GDPR state that the direct liability of the representative is limited to the obligations that are set out in Article 30 GDPR and in Article 58(1)(a) GDPR. Under Article 30 GDPR the representative of the controller or processor must maintain a record of the processing activities done by the controller or processor. However, the controller or processor themselves are responsible for updating the content of the record, and must provide the representative with up-to-date information. At the same time, the representative must be ready to provide this record. The EDPB has also confirmed that the representative must be in a position where they can effectively communicate with data subjects and cooperate with supervisory authorities.[8]
(5) Continued Liability
However, Article 27(5) GDPR makes very clear that the controller or processor cannot escape legal liability solely by virtue of designating a representative. In fact, Article 27(5) GDPR states that legal action can be initiated directly against the controller or processor. Indeed, this happened in a case before the Austrian Data Protection Authority, in which the DPA chose to address a decision directly to a US company, instead of its representative in the Netherlands, because “Article 27(5) GDPR does not entail a transfer of responsibility”.[9]
Decisions
→ You can find all related decisions in Category:Article 27 GDPR
References
- ↑ Article 3(2) GDPR can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behavior of the data subjects within the Union.
- ↑ Since Article 3(2) GDPR refers to “personal data of subjects who are in the Union”, this means that the applicability of Article 27 GDPR is not limited to people of a certain citizenship or residence, but rather extends to anyone who finds themselves in the EU. This is also reflected in Recital 14 GDPR, which states that “[t]he protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. This is further reflected in Article 8 of the Charter of Fundamental Rights, which specifies that the right to the protection of personal data is not limited, but is instead for “everyone”. See, EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 14.
- ↑ Millard, Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).
- ↑ Millard, Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).
- ↑ WP29, position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR, p. 2. This position paper was endorsed by the EDPB.
- ↑ Millard, Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, p. 595 (Oxford University Press 2020).
- ↑ EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 26.
- ↑ EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 26.
- ↑ Datenschutzbehörde, 7 March 2019, DSB-D130.033/0003-DSB/2019 (available here https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Dsk&Dokumentnummer=DSBT_20190307_DSB_D130_033_0003_DSB_2019_00).