Article 27 GDPR
Legal Text
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
2. The obligation laid down in paragraph 1 of this Article shall not apply to:
- (a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
- (b) a public authority or body.
3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Relevant Recitals
You can help us fill this section!
Commentary
Overview
The aim of Article 27 is to ensure that the level of protection afforded to data subjects based in the union is not reduced in instances where non-EU based controllers or processors process their data. It aims to provide a contact point for data subjects, while ensuring simultaneously that there is legal accountability for the processing activities, achieved through the provision of a representative. This representative can be subject to enforcement proceedings in the event of non-compliance with the GDPR. Article 27 also helps to clarify the scope of obligations that is placed on controllers and processors based outside of the union.
Conditions for applicability
The applicability of Article 27 is defined in Article 27(1). In essence, Article 27 applies where the requirements in Article 3(2) have been fulfilled. Article 3(2) can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behavior of the data subjects within the Union. In other words, Article 27 is designed to catch non-EU based controllers and processors who proceed to process data of data subjects in the EU.
Since Article 3(2) refers to “personal data of subjects who are in the Union”, this means that the applicability of Article 27 is not limited to people of a certain citizenship or residence, but rather extends to anyone who finds themselves in the EU[1]. This is also reflected in Recital 14 of the GDPR, which states that “[t]he protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. This is further reflected in Article 8 of the Charter of Fundamental Rights, which specifies that the right to the protection of personal data is not limited, but is instead for “everyone”.
Therefore, the requirement that the data subject be located in the Union must be assessed at the moment in time when the relevant trigger activity takes place, such as the moment when goods or services are offered, or the moment when the behavior of the data subject is being monitored[2]. However, the EDPB has confirmed that the processing activities related to data subjects in the Union must have taken place intentionally, rather than inadvertently or incidentally[3]. This is also confirmed by Recital 23, which states that “in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”
With regards to what it means to offer goods or services, Article 1(1) of Directive (EU) 2015/1535 has clarified that offering services also includes offering information society services[4]. Furthermore, Article 3(2)(a) specifies that no payment needs to be made for these goods or services in order for the controller or processor to be seen as offering them. However, Recital 23 confirms that the mere act of visiting a controller’s or processor’s website in the Union is not in itself sufficient to evidence intention to offer goods or services. This was also confirmed in Verein für Konsumenteninformation[5], where the Court held that merely being able to access a website in a Member State is not enough to amount to an ‘establishment’ of the controller or processor in that Member State. Therefore, there must be more engagement between the data subject and the controller or processor in order for them to have been ‘goods or services offered’.
With regards to monitoring the behaviour of data subjects, the EDPB has clarified that the behaviour monitored must (1) relate to a data subject in the Union and (2) that the monitored behaviour must itself take place within the territory of the Union[6]. Which processing activity can be considered as behaviour monitoring can be derived from Recital 24, which states that “in order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” The EDPB has expanded the scope of this to include not only tracking of a person on the internet, but also tracking through other kinds of network or technologies which involve personal data processing, so for instance, tracking through the use of wearables or smart devices[7].
Designating the representative
Article 27(1) makes clear that the controller or processor must designate a representative in the Union by a written mandate. In this designation, the representative should be explicitly assigned to act on the behalf of the controller or processor with regard to their obligations under the GDPR[8]. The representative must also cooperate with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR. The representative can be a natural or legal person that is established in the Union, as per Article 4(17) GDPR.
Exemptions to the requirement to designate a representative
Article 27 begins with the blanket requirement that where a controller or processor fulfils the conditions laid out in Article 3(2), a representative established in the Union must be designated in writing. Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what Kuner has labeled as enhancing the “practical-procedural traction of the GDPR” (Kuner, 590). The requirement to designate a representative is, however, not absolute. Immediately in Article 27(2), exemptions to this requirement are presented.
Article 27(2) presents two instances in which the requirement to have a representative does not apply. These are (1) when the processing is occasional and does not include Article 9 or Article 10 data, and is unlikely to result in a risk to the rights and freedoms of natural persons, and (2) when the processing is done by a public authority or body.
Processing which is occasional – Article 27(2)(a)
Article 27(2)(a) states that the requirement to designate a representative does not apply if the processing is ‘occasional’. The term has been interpreted by the EDPB to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor[9]. Similarly, Kuner has interpreted the term ‘occasional’ to mean ‘non-systematic’ processing[10], or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular or systemic way.
Article 27(2)(a) also specifies that the processing must be “unlikely to result in a risk to the rights and freedoms of a natural person”. Recital 75 specifies that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both the likelihood and the severity of the envisioned risk.
Processing carried out by a public authority or body – Article 27(2)(b)
The second exemption to the requirement to designate a representative is if the non-EU controller or processor is a public authority or body. It is up for the supervisory authority to assess on a case-by-case basis what a public authority or body constitutes. However, instances in which a public authority or body in a third country would be monitoring the behaviour of data subjects in the union, or offering them goods or services, are likely to be limited.
Place of establishment of the representative
Article 27(3) states that the representative of the controller or processor shall be established in one of the member states where the data subject has had good or services offered to them or has had their behaviour monitored. The EDPB has made the recommendation that “where a significant proportion of data subjects whose personal data are processed are located in one particular Member State […] the representative is established in that same Member State”[11]. The main criterion for establishing where a representative should be designated is the location of the data subjects who are subject to the processing[12]. One way to interpret this is in the event that there are two member states in which processing takes place, the country which has more data subjects who are subject to the processing should be the country in which the representative is established.
Obligations and responsibilities of the representative
Article 27(4) stipulates that the representative shall be responsible for complying with the GDPR in regards to the processing activities that take place. However, the EDPB guidelines on the territorial scope of the GDPR state that the direct liability of the representative is limited to the obligations that are set out in Article 30 and in Article 58(1)(a). Under Article 30 of the GDPR, the representative of the controller or processor must maintain a record of the processing activities done by the controller or processor. However, the controller or processor is themselves responsible for updating the content of the record, and must provide the representative with up-to-date information. At the same time, the representative must be ready to provide this record. The EDPB has also confirmed that the representative must be in a position where they can effectively communicate with data subjects and cooperate with supervisory authorities[13].
However, Article 27(5) makes very clear that the controller or processor cannot escape legal liability solely by virtue of designating a representative. In fact, Article 27(5) states that legal action can be initiated directly against the controller or processor. Indeed, this happened in a case[14] before the Austrian Data Protection Authority, in which the DPA chose to address a decision directly to a US company, instead of its representative in the Netherlands, because “Article 27(5) GDPR does not entail a transfer of responsibility”.
[1] European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), pg. 14.
[2] Guidelines 3/2018, pg. 15.
[3] Ibid.
[4] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services.
[5] Case C-191/15, Verein für Konsumenteninformation, para. 75-76.
[6] Guidelines 3/2018, pg. 19.
[7] Ibid.
[8] Kuner, 594.
[9] WP29 position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR.
[10] Kuner, 595.
[11] Guidelines 03/2018, pg. 26.
[12] Ibid.
[13] Guidelines 03/2018, pg. 27.
[14] https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Dsk&Dokumentnummer=DSBT_20190307_DSB_D130_033_0003_DSB_2019_00
Decisions
→ You can find all related decisions in Category:Article 27 GDPR