Article 27 GDPR
Legal Text
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
2. The obligation laid down in paragraph 1 of this Article shall not apply to:
- (a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
- (b) a public authority or body.
3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Relevant Recitals
Commentary
The aim of Article 27 GDPR is to ensure that the level of protection afforded to EU-based data subjects is not reduced where non-EU based controllers or processors process their data. It aims to both provide a contact point for data subjects and ensure that there is legal accountability for processing activities by mandating the appointment of a representative. This representative can be subject to enforcement proceedings in the event of non-compliance with the GDPR. Article 27 GDPR also helps to clarify the scope of obligations placed on controllers and processors based outside of the EU.
(1) Conditions for Applicability
Where Article 3(2) GDPR applies,[1] the controller or processor must designate a representative in the Union.[2] In practice, the function of “representative in the Union” can be exercised based on a contract concluded with an individual or an organisation. It can therefore be assumed by a wide range of commercial and non-commercial entities, such as law firms, consultancies, or private companies, provided that they are established in the Union. However, according to the EDPB, the role should not overlap with the DPO’s given its requirement for independence.[3] The designation must be done in written form.[4] The GDPR does not specify any particular requirements for the representative.[5] Thus, under Article 1(17) GDPR, it can be any natural or legal person which is capable of representing the controller or processor "with regard to their obligations under this Regulation".[6]
[copied from definition:]
In this regard, the notion of a representative becomes relevant in terms of actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see Article 3(2) GDPR and Recital 80 GDPR).[7] In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.[8] This way, the representative prevents such actors only established in a third country to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.[9]
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.[10] At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.[11] However, it remains unclear how entities not providing a representative may be tackled by the GDPR.[12] This goes especially for public authorities that are excluded from the designation of a representative.[13]
(2) Exemptions
The requirement to designate a representative is not absolute. Article 27(2) GDPR presents two instances in which the requirement to have a representative does not apply. These are (a) when the processing is occasional, does not include data covered by Article 9 GDPR or Article 10 GDPR, and is unlikely to result in a risk to the rights and freedoms of natural persons, and (b) when the processing is done by a public authority or body.
(a) Processing Which is Occasional and Does Not Include Data in the Sense of Articles 9 and 10 GDPR
Article 27(2)(a) GDPR states that the requirement to designate a representative does not apply if the processing meets three cumulative conditions. First, the processing must be "occasional". Second, it must not include "processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10" on a large scale. Third, the processing must be "unlikely to result in a risk to the rights and freedoms of natural persons".
The term "occasional" has been interpreted by the WP29 to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor.[14] Similarly, Millard and Kamarinou have interpreted the term "occasional" to mean "non-systematic" processing, or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular way.[15]
The second condition requires that the processing does not use the categories of data covered by Articles 9 and 10 GDPR on a “large scale”. What meaning should be assigned to the expression “large scale” is not entirely clear.[16] According to Recital 91, it should concern "a considerable amount of personal data [...] which could affect a large number of data subjects".
Finally, the third requirement specifies that the processing must be “unlikely to result in a risk to the rights and freedoms of a natural person”. Recital 75 GDPR sets out that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both its likelihood and severity. This includes, inter alia, risks of discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.
The unifying factor of these three conditions seems to be the existence of processing which is in some way 'non-negligible' because of its scale, the data processed, or its possible negative consequences. In all the other cases, an EU representative must be appointed and the exemption in Article 27(1)(a) GDPR cannot apply.
(b) Processing Carried Out by a Public Authority or Body
The second exemption to the requirement to designate a representative applies if the non-EU controller or processor is a public authority or body. It is up for the supervisory authority to assess on a case-by-case basis what constitutes a public authority or body. However, instances in which a public authority or body in a third country would be monitoring the behaviour of data subjects in the Union, or offering them goods or services, are likely to be limited.
(3) Place of Establishment of the Representative
Article 27(3) GDPR states that the representative of the controller or processor shall be established in one of the Member States where the data subject is located. The EDPB has recommended that “where a significant proportion of data subjects whose personal data are processed are located in one particular Member State […] the representative is established in that same Member State”. The main criterion for establishing where a representative should be designated is the location of the data subjects who are subject to the processing.[17] One way to interpret this is in the event that there are two member states in which processing takes place, the country which has more data subjects who are subject to the processing should be the country in which the representative is established.
(4) Obligations and Responsibilities of the Representative
Article 27(4) GDPR stipulates that the representative shall be responsible for complying with the GDPR in regards to the processing activities that take place. This includes handling requests from data subjects.[18] While not directly responsible for complying with data subject rights, the representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subject rights effective. Under Article 30 GDPR the representative of the controller or processor must maintain a record of the processing activities performed by the controller or processor. However, the controller or processor themselves are responsible for updating the content of the record, and must provide the representative with up-to-date information. At the same time, the representative must be ready to share this record. The EDPB has also confirmed that the representative must be in a position where it can effectively communicate with data subjects and cooperate with supervisory authorities. Finally, as clarified by Recital 80 GDPR, the representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR (Article 31 GDPR). However, the EDPB guidelines on the territorial scope of the GDPR state that the direct liability of the representative is limited to the obligations set out in Article 30 and Article 58(1)(a) GDPR. [19]
(5) Continued Liability
Article 27(5) GDPR makes it very clear that the controller or processor cannot escape legal liability by designating a representative. Indeed, it states that legal action can be initiated directly against the controller or processor. This notably happened in a case before the Austrian DPA, in which it chose to address a decision directly to a US company instead of its representative in the Netherlands, because “Article 27(5) GDPR does not entail a transfer of responsibility”.[20]
Decisions
→ You can find all related decisions in Category:Article 27 GDPR
References
- ↑ Article 3(2) GDPR can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behaviour of the data subjects within the Union.
- ↑ If a “controller or processor not established in the Union but subject to the GDPR fails to designate a representative in the Union it would therefore be in breach of the Regulation”. See EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 23 (available here).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 24 (available here).
- ↑ Some commentators argue that the mandate must be in writing in order to be valid. This would be necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. In this sense, this agreement could not be concluded by email. See, Martini, in Paal, Pauly, DS-GVO BDSG, Article 27, margin numbers 17-20 (C.H.Beck 2021, 3rd Edition).
- ↑ Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what Millard and Kamarinou have labeled as enhancing the “practical-procedural traction of the GDPR”. See, Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).
- ↑ Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).
- ↑ According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union “related to the offering of goods or services“ or “the monitoring of their behaviour”.
- ↑ Recital 80 sentence 6 GDPR.
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).
- ↑ Recital 80 sentences 3, 4 GDPR.
- ↑ Recital 80 sentence 5 GDPR.
- ↑ Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).
- ↑ WP29, ‘Position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR’, p. 2 (available here). This position paper has been endorsed by the EDPB on 19 April 2018.
- ↑ Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, p. 595 (Oxford University Press 2020).
- ↑ Hartnung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 9 (C.H. Beck 2020, 3rd Edition).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 26 (available here).
- ↑ Martini, in Paal, Pauly, DS-GVO BDSG, Article 27, margin number 52 (C.H.Beck 2021, 3rd Edition).
- ↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 27-28 (available here).
- ↑ Datenschutzbehörde, 7 March 2019, DSB-D130.033/0003-DSB/2019 (available here).