Article 27 GDPR: Difference between revisions

Latest revision as of 14:11, 24 May 2023

← Article 27 - Representatives of controllers or processors not established in the Union →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 27 - Representatives of controllers or processors not established in the Union

1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

2. The obligation laid down in paragraph 1 of this Article shall not apply to:

(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

(b) a public authority or body.

3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

Relevant Recitals

Recital 80: Designated Representative

Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

Commentary

The aim of Article 27 GDPR is to ensure that the level of protection afforded to EU-based data subjects is not reduced where non-EU based controllers or processors process their data. It aims to both provide a contact point for data subjects and ensure that there is legal accountability for processing activities by mandating the appointment of a representative. This representative can be subject to enforcement proceedings in the event of non-compliance with the GDPR. Article 27 GDPR also helps to clarify the scope of obligations placed on controllers and processors based outside of the EU.

(1) Conditions for applicability

Where Article 3(2) GDPR applies,^[1] the controller or processor must designate a representative in the Union.^[2] In practice, the function of “representative in the Union” can be exercised based on a contract concluded with an individual or an organisation, provided that they are established in the Union.^[3] The role can be assumed by a wide range of commercial and non-commercial entities, such as law firms, consultancies, or private companies.^[4] However, according to the EDPB, the role should not overlap with the DPO’s given its requirement for independence.^[5] The designation must be done in written form.^[6] The GDPR does not specify any particular requirements for the representative.^[7] However, under Article 1(17) GDPR, the representative must be capable of representing the controller or processor "with regard to their obligations under this Regulation".^[8] The designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.^[9] However, it remains unclear how entities not providing a representative may be tackled by the GDPR.^[10] This goes especially for public authorities that are excluded from the designation of a representative.^[11]

(2) Exemptions

The requirement to designate a representative is not absolute. Article 27(2) GDPR presents two instances in which the requirement to have a representative does not apply. These are (a) when the processing is occasional, does not include data covered by Article 9 GDPR or Article 10 GDPR, and is unlikely to result in a risk to the rights and freedoms of natural persons, and (b) when the processing is done by a public authority or body.

(a) Processing Which is Occasional and Does Not Include Data in the Sense of Articles 9 and 10 GDPR

Article 27(2)(a) GDPR states that the requirement to designate a representative does not apply if the processing meets three cumulative conditions. First, the processing must be "occasional". Second, it must not include "processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10" on a large scale. Third, the processing must be "unlikely to result in a risk to the rights and freedoms of natural persons".

The term "occasional" has been interpreted by the WP29 to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor.^[12] Similarly, Millard and Kamarinou have interpreted the term "occasional" to mean "non-systematic" processing, or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular way.^[13]

The second condition requires that the processing does not use the categories of data covered by Articles 9 and 10 GDPR on a “large scale”. What meaning should be assigned to the expression “large scale” is not entirely clear.^[14] According to Recital 91, it should concern "a considerable amount of personal data [...] which could affect a large number of data subjects".

Finally, the third requirement specifies that the processing must be “unlikely to result in a risk to the rights and freedoms of a natural person”. Recital 75 GDPR sets out that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both its likelihood and severity. This includes, inter alia, risks of discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.

The unifying factor of these three conditions is the existence of processing which is in some way 'non-negligible' because of its scale, the data processed, or its possible negative consequences. In all the other cases, an EU representative must be appointed and the exemption in Article 27(1)(a) GDPR cannot apply.

(b) Processing carried out by a public authority or body

The second exemption to the requirement to designate a representative applies if the non-EU controller or processor is a public authority or body. It is up for the supervisory authority to assess on a case-by-case basis what constitutes a public authority or body. However, instances in which a public authority or body in a third country would be monitoring the behaviour of data subjects in the Union, or offering them goods or services, are likely to be limited.

(3) Place of establishment of the representative

Article 27(3) GDPR states that the representative of the controller or processor shall be established in one of the Member States where the data subjects are located. The EDPB has recommended that “where a significant proportion of data subjects whose personal data are processed are located in one particular Member State […] the representative is established in that same Member State”. The main criterion for establishing where a representative should be designated is the location of the data subjects who are subject to the processing.^[15] One way to interpret this is in the event that there are two member states in which processing takes place, the country which has more data subjects who are subject to the processing should be the country in which the representative is established.

(4) Obligations and responsibilities of the representative

Under Article 27(4) GDPR, data subjects and supervisory authorities can address the representative on "all issues related to processing" in order to ensure compliance with the Regulation. This can be done "in addition to or instead of" addressing the controller or processor themselves.

The main role of the representative is to serve as a point of contact and be readily available for supervisory authorities and data subjects regarding data protection matters, as stated in Article 27(4). This includes providing relevant information, addressing inquiries,^[16] and handling documents. To fulfill these responsibilities effectively, the representative may enlist the support of a team and ensure effective communication in the appropriate languages.^[17]

Under Article 30 GDPR the representative of the controller or processor must maintain a record of the processing activities performed by the controller or processor. However, the controller or processor themselves are responsible for updating the content of the record, and must provide the representative with up-to-date information. At the same time, the representative must be ready to share this record.^[18]

Finally, as clarified by Recital 80 GDPR, the representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR (Article 31 GDPR). Direct liability of the representative is limited to the obligations set out in Article 30 and Article 58(1)(a) GDPR.^[19]

(5) Continued liability

Article 27(5) GDPR makes it very clear that the controller or processor cannot escape legal liability by designating a representative. Indeed, it states that legal action can be initiated directly against the controller or processor. This notably happened in a case before the Austrian DPA, in which it chose to address a decision directly to a US company instead of its representative in the Netherlands, because “Article 27(5) GDPR does not entail a transfer of responsibility”.^[20]

Decisions

→ You can find all related decisions in Category:Article 27 GDPR

References

↑ Article 3(2) GDPR can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behaviour of the data subjects within the Union.
↑ If a “controller or processor not established in the Union but subject to the GDPR fails to designate a representative in the Union it would therefore be in breach of the Regulation”. See EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 23 (available here).
↑ Under Article 4(17) GDPR, "representative" means "a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation".
↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).
↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 24 (available here).
↑ This is necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. In this sense, this agreement could not be concluded by email. See, Martini, in Paal, Pauly, DS-GVO BDSG, Article 27, margin numbers 17-20 (C.H.Beck 2021, 3rd Edition).
↑ Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what Millard and Kamarinou have labeled as enhancing the “practical-procedural traction of the GDPR”. See, Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).
↑ Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).
↑ Recital 80 sentence 5 GDPR.
↑ Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).
↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).
↑ WP29, ‘Position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR’, p. 2 (available here). This position paper has been endorsed by the EDPB on 19 April 2018.
↑ Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, p. 595 (Oxford University Press 2020).
↑ Hartnung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 9 (C.H. Beck 2020, 3rd Edition).
↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 26 (available here).
↑ The obligation includes the handling of data subjects' requests. While not directly responsible for complying with data subject rights, the representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subject rights effective. Martini, in Paal, Pauly, DS-GVO BDSG, Article 27, margin number 52 (C.H.Beck 2021, 3rd Edition).
↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 15 (C.H. Beck 2020, 3rd Edition).
↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 16 (C.H. Beck 2020, 3rd Edition).
↑ EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 27-28 (available here).
↑ Datenschutzbehörde, 7 March 2019, DSB-D130.033/0003-DSB/2019 (available here).

[1] Article 3(2) GDPR can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behaviour of the data subjects within the Union.

[2] If a “controller or processor not established in the Union but subject to the GDPR fails to designate a representative in the Union it would therefore be in breach of the Regulation”. See EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 23 (available here).

[3] Under Article 4(17) GDPR, "representative" means "a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation".

[4] Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).

[5] EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 24 (available here).

[6] This is necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. In this sense, this agreement could not be concluded by email. See, Martini, in Paal, Pauly, DS-GVO BDSG, Article 27, margin numbers 17-20 (C.H.Beck 2021, 3rd Edition).

[7] Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what Millard and Kamarinou have labeled as enhancing the “practical-procedural traction of the GDPR”. See, Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).

[8] Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).

[9] Recital 80 sentence 5 GDPR.

[10] Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).

[11] Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).

[12] WP29, ‘Position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR’, p. 2 (available here). This position paper has been endorsed by the EDPB on 19 April 2018.

[13] Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, p. 595 (Oxford University Press 2020).

[14] Hartnung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 9 (C.H. Beck 2020, 3rd Edition).

[15] EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 26 (available here).

[16] The obligation includes the handling of data subjects' requests. While not directly responsible for complying with data subject rights, the representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subject rights effective. Martini, in Paal, Pauly, DS-GVO BDSG, Article 27, margin number 52 (C.H.Beck 2021, 3rd Edition).

[17] Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 15 (C.H. Beck 2020, 3rd Edition).

[18] Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 16 (C.H. Beck 2020, 3rd Edition).

[19] EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 27-28 (available here).

[20] Datenschutzbehörde, 7 March 2019, DSB-D130.033/0003-DSB/2019 (available here).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

@@ Line 185: / Line 185: @@
 ==Legal Text==
-<br /><center>'''Article 27 - Representatives of controllers or processors not established in the Union'''</center><br />
+<br /><center>'''Article 27 - Representatives of controllers or processors not established in the Union'''</center>
 <span id="1">1.   Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.</span>
@@ Line 202: / Line 202: @@
 ==Relevant Recitals==
-''You can help us fill this section!''
+{{Recital/80 GDPR}}
 ==Commentary==
+The aim of Article 27 GDPR is to ensure that the level of protection afforded to EU-based data subjects is not reduced where non-EU based controllers or processors process their data. It aims to both provide a contact point for data subjects and ensure that there is legal accountability for processing activities by mandating the appointment of a representative. This representative can be subject to enforcement proceedings in the event of non-compliance with the GDPR. Article 27 GDPR also helps to clarify the scope of obligations placed on controllers and processors based outside of the EU.
-===Overview===
+===(1) Conditions for applicability===
-The aim of Article 27 is to ensure that the level of protection afforded to data subjects based in the union is not reduced in instances where non-EU based controllers or processors process their data. It aims to provide a contact point for data subjects, while ensuring simultaneously that there is legal accountability for the processing activities, achieved through the provision of a representative. This representative can be subject to enforcement proceedings in the event of non-compliance with the GDPR. Article 27 also helps to clarify the scope of obligations that is placed on controllers and processors based outside of the union.
+Where [[Article 3 GDPR|Article 3(2) GDPR]] applies,<ref>Article 3(2) GDPR can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behaviour of the data subjects within the Union.</ref> the controller or processor must designate a representative in the Union.<ref>If a “''controller or processor not established in the Union but subject to the GDPR fails to designate a representative in the Union it would therefore be in breach of the Regulation''”. See EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 23 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> In practice, the function of “''representative in the Union''” can be exercised based on a contract concluded with an individual or an organisation, provided that they are established in the Union.<ref>Under Article 4(17) GDPR, "representative" means "''a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation''".</ref> The role can be assumed by a wide range of commercial and non-commercial entities, such as law firms, consultancies, or private companies.''<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref>'' However, according to the EDPB, the role should not overlap with the DPO’s given its requirement for independence.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 24 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> The designation must be done in written form.<ref>This is necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. In this sense, this agreement could not be concluded by email. See, ''Martini'', in Paal, Pauly, DS-GVO BDSG, Article 27, margin numbers 17-20 (C.H.Beck 2021, 3rd Edition).</ref> The GDPR does not specify any particular requirements for the representative.<ref>Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what ''Millard'' and ''Kamarinou'' have labeled as enhancing the “''practical-procedural traction of the GDPR''”. See, ''Millard, Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).</ref> However, under Article 1(17) GDPR, the representative must be capable of representing the controller or processor "''with regard to their obligations under this Regulation''".<ref>''Millard, Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020).</ref> The designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> This goes especially for public authorities that are excluded from the designation of a representative.''<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref>''
+===(2) Exemptions===
+The requirement to designate a representative is not absolute. Article 27(2) GDPR presents two instances in which the requirement to have a representative does not apply. These are (a) when the processing is occasional, does not include data covered by [[Article 9 GDPR]] or [[Article 10 GDPR]], and is unlikely to result in a risk to the rights and freedoms of natural persons, and (b) when the processing is done by a public authority or body.
+====(a) Processing Which is Occasional and Does Not Include Data in the Sense of [[Article 9 GDPR|Articles 9]] and [[Article 10 GDPR|10 GDPR]]====
+Article 27(2)(a) GDPR states that the requirement to designate a representative does not apply if the processing meets three cumulative conditions. First, the processing must be "''occasional''". Second, it must not include "''processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10''" on a large scale. Third, the processing must be "''unlikely to result in a risk to the rights and freedoms of natural persons''".
-====Conditions for applicability====
+The term "''occasional''" has been interpreted by the WP29 to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor.<ref>WP29, ‘Position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR’, p. 2 (available [https://ec.europa.eu/newsroom/article29/redirection/document/51422 here]). This position paper has been endorsed by the EDPB on 19 April 2018.</ref> Similarly, ''Millard'' and ''Kamarinou'' have interpreted the term "''occasional''" to mean "''non-systematic''" processing, or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular way.<ref>''Millard, Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 27 GDPR, p. 595 (Oxford University Press 2020).</ref>
-The applicability of Article 27 is defined in Article 27(1). In essence, Article 27 applies where the requirements in Article 3(2) have been fulfilled. Article 3(2) can be divided into two requirements: first, there must be processing by a controller or processor who is ''not'' established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behavior of the data subjects within the Union. In other words, Article 27 is designed to catch non-EU based controllers and processors who proceed to process data of data subjects in the EU.
-Since Article 3(2) refers to “''personal data of subjects who are in the Union''”, this means that the applicability of Article 27 is not limited to people of a certain citizenship or residence, but rather extends to anyone who finds themselves in the EU[[Article 27 GDPR#%20ftn1|[1]]]. This is also reflected in Recital 14 of the GDPR, which states that ''“[t]he protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data''”. This is further reflected in Article 8 of the Charter of Fundamental Rights, which specifies that the right to the protection of personal data is not limited, but is instead for “everyone”.
+The second condition requires that the processing does not use the categories of data covered by Articles 9 and 10 GDPR on a “''large scale''”. What meaning should be assigned to the expression “''large scale''” is not entirely clear.<ref>''Hartnung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 9 (C.H. Beck 2020, 3rd Edition).</ref> According to Recital 91, it should concern "''a considerable amount of personal data'' [...] ''which could affect a large number of data subjects''".
-Therefore, the requirement that the data subject be located in the Union must be assessed at the moment in time when the relevant trigger activity takes place, such as the moment when goods or services are offered, or the moment when the behavior of the data subject is being monitored[[Article 27 GDPR#%20ftn2|[2]]]. However, the EDPB has confirmed that the processing activities related to data subjects in the Union must have taken place intentionally, rather than inadvertently or incidentally[[Article 27 GDPR#%20ftn3|[3]]]. This is also confirmed by Recital 23, which states that “''in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union''.”
+Finally, the third requirement specifies that the processing must be “''unlikely to result in a risk to the rights and freedoms of a natural person''”. Recital 75 GDPR sets out that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both its likelihood and severity. This includes, ''inter alia'', risks of discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.
-With regards to what it means to offer goods or services, Article 1(1) of Directive (EU) 2015/1535 has clarified that offering services also includes offering information society services[[Article 27 GDPR#%20ftn4|[4]]]. Furthermore, Article 3(2)(a) specifies that no payment needs to be made for these goods or services in order for the controller or processor to be seen as offering them. However, Recital 23 confirms that the mere act of visiting a controller’s or processor’s website in the Union is not in itself sufficient to evidence intention to offer goods or services. This was also confirmed in ''Verein für Konsumenteninformation[[Article 27 GDPR#%20ftn5|'''[5]''']]'', where the Court held that merely being able to access a website in a Member State is not enough to amount to an ‘establishment’ of the controller or processor in that Member State. Therefore, there must be more engagement between the data subject and the controller or processor in order for them to have been ‘goods or services offered’.
+The unifying factor of these three conditions is the existence of processing which is in some way 'non-negligible' because of its scale, the data processed, or its possible negative consequences. In all the other cases, an EU representative must be appointed and the exemption in Article 27(1)(a) GDPR cannot apply.
+====(b) Processing carried out by a public authority or body ====
+The second exemption to the requirement to designate a representative applies if the non-EU controller or processor is a public authority or body. It is up for the supervisory authority to assess on a case-by-case basis what constitutes a public authority or body. However, instances in which a public authority or body in a third country would be monitoring the behaviour of data subjects in the Union, or offering them goods or services, are likely to be limited.
-With regards to monitoring the behaviour of data subjects, the EDPB has clarified that the behaviour monitored must (1) relate to a data subject in the Union and (2) that the monitored behaviour must itself take place within the territory of the Union[[Article 27 GDPR#%20ftn6|[6]]]. Which processing activity can be considered as behaviour monitoring can be derived from Recital 24, which states that “''in order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”'' The EDPB has expanded the scope of this to include not only tracking of a person on the internet, but also tracking through other kinds of network or technologies which involve personal data processing, so for instance, tracking through the use of wearables or smart devices[[Article 27 GDPR#%20ftn7|[7]]].
+===(3) Place of establishment of the representative===
+Article 27(3) GDPR states that the representative of the controller or processor shall be established in one of the Member States where the data subjects are located. The EDPB has recommended that “''where a significant proportion of data subjects whose personal data are processed are located in one particular Member State […] the representative is established in that same Member State''”. The main criterion for establishing where a representative should be designated is the location of the data subjects who are subject to the processing.<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 26 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> One way to interpret this is in the event that there are two member states in which processing takes place, the country which has more data subjects who are subject to the processing should be the country in which the representative is established.
-====Designating the representative====
+===(4) Obligations and responsibilities of the representative===
-Article 27(1) makes clear that the controller or processor must designate a representative in the Union by a written mandate. In this designation, the representative should be explicitly assigned to act on the behalf of the controller or processor with regard to their obligations under the GDPR[[Article 27 GDPR#%20ftn8|[8]]]. The representative must also cooperate with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR. The representative can be a natural or legal person that is established in the Union, as per Article 4(17) GDPR.
+Under Article 27(4) GDPR, data subjects and supervisory authorities can address the representative on "''all issues related to processing''" in order to ensure compliance with the Regulation. This can be done "''in addition to or instead of''" addressing the controller or processor themselves.
-====Exemptions to the requirement to designate a representative====
+The main role of the representative is to serve as a point of contact and be readily available for supervisory authorities and data subjects regarding data protection matters, as stated in Article 27(4). This includes providing relevant information, addressing inquiries,<ref>The obligation includes the handling of data subjects' requests. While not directly responsible for complying with data subject rights, the representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subject rights effective. ''Martini'', in Paal, Pauly, DS-GVO BDSG, Article 27, margin number 52 (C.H.Beck 2021, 3rd Edition).</ref> and handling documents. To fulfill these responsibilities effectively, the representative may enlist the support of a team and ensure effective communication in the appropriate languages.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 15 (C.H. Beck 2020, 3rd Edition).</ref>
-Article 27 begins with the blanket requirement that where a controller or processor fulfils the conditions laid out in Article 3(2), a representative established in the Union must be designated in writing. Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what Kuner has labeled as enhancing the “practical-procedural traction of the GDPR” (Kuner, 590). The requirement to designate a representative is, however, not absolute. Immediately in Article 27(2), exemptions to this requirement are presented.
-Article 27(2) presents two instances in which the requirement to have a representative does not apply. These are (1) when the processing is occasional and does not include Article 9 or Article 10 data, and is unlikely to result in a risk to the rights and freedoms of natural persons, and (2) when the processing is done by a public authority or body.
+Under [[Article 30 GDPR]] the representative of the controller or processor must maintain a record of the processing activities performed by the controller or processor. However, the controller or processor themselves are responsible for updating the content of the record, and must provide the representative with up-to-date information. At the same time, the representative must be ready to share this record.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 16 (C.H. Beck 2020, 3rd Edition).</ref>
-=====Processing which is occasional – Article 27(2)(a)=====
-Article 27(2)(a) states that the requirement to designate a representative does not apply if the processing is ‘occasional’. The term has been interpreted by the EDPB to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor[[Article 27 GDPR#%20ftn9|[9]]]. Similarly, Kuner has interpreted the term ‘occasional’ to mean ‘non-systematic’ processing[[Article 27 GDPR#%20ftn10|[10]]], or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular or systemic way.
-Article 27(2)(a) also specifies that the processing must be “unlikely to result in a risk to the rights and freedoms of a natural person”. Recital 75 specifies that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both the likelihood and the severity of the envisioned risk.
-=====Processing carried out by a public authority or body – Article 27(2)(b)=====
-The second exemption to the requirement to designate a representative is if the non-EU controller or processor is a public authority or body. It is up for the supervisory authority to assess on a case-by-case basis what a public authority or body constitutes. However, instances in which a public authority or body in a third country would be monitoring the behaviour of data subjects in the union, or offering them goods or services, are likely to be limited.
-====Place of establishment of the representative====
-Article 27(3) states that the representative of the controller or processor shall be established in one of the member states where the data subject has had good or services offered to them or has had their behaviour monitored. The EDPB has made the recommendation that “''where a significant proportion of data subjects whose personal data are processed are located in one particular Member State […] the representative is established in that same Member State''”[[Article 27 GDPR#%20ftn11|[11]]]. The main criterion for establishing where a representative should be designated is the location of the data subjects who are subject to the processing[[Article 27 GDPR#%20ftn12|[12]]]. One way to interpret this is in the event that there are two member states in which processing takes place, the country which has more data subjects who are subject to the processing should be the country in which the representative is established.
-====Obligations and responsibilities of the representative====
-Article 27(4) stipulates that the representative shall be responsible for complying with the GDPR in regards to the processing activities that take place. However, the EDPB guidelines on the territorial scope of the GDPR state that the direct liability of the representative is limited to the obligations that are set out in Article 30 and in Article 58(1)(a). Under Article 30 of the GDPR, the representative of the controller or processor must maintain a record of the processing activities done by the controller or processor. However, the controller or processor is themselves responsible for updating the content of the record, and must provide the representative with up-to-date information. At the same time, the representative must be ready to provide this record. The EDPB has also confirmed that the representative must be in a position where they can effectively communicate with data subjects and cooperate with supervisory authorities[[Article 27 GDPR#%20ftn13|[13]]].
-However, Article 27(5) makes very clear that the controller or processor cannot escape legal liability solely by virtue of designating a representative. In fact, Article 27(5) states that legal action can be initiated directly against the controller or processor. Indeed, this happened in a case[[Article 27 GDPR#%20ftn14|[14]]] before the Austrian Data Protection Authority, in which the DPA chose to address a decision directly to a US company, instead of its representative in the Netherlands, because “Article 27(5) GDPR does not entail a transfer of responsibility”.
-----[[Article 27 GDPR#%20ftnref1|[1]]] European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), pg. 14.
-[[Article 27 GDPR#%20ftnref2|[2]]] Guidelines 3/2018, pg. 15.
-[[Article 27 GDPR#%20ftnref3|[3]]] Ibid.
-[[Article 27 GDPR#%20ftnref4|[4]]] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services.
-[[Article 27 GDPR#%20ftnref5|[5]]] Case C-191/15, ''Verein für Konsumenteninformation'', para. 75-76.
-[[Article 27 GDPR#%20ftnref6|[6]]] Guidelines 3/2018, pg. 19.
-[[Article 27 GDPR#%20ftnref7|[7]]] Ibid.
-[[Article 27 GDPR#%20ftnref8|[8]]] Kuner, 594.
-[[Article 27 GDPR#%20ftnref9|[9]]] WP29 position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR.
-[[Article 27 GDPR#%20ftnref10|[10]]] Kuner, 595.
-[[Article 27 GDPR#%20ftnref11|[11]]] Guidelines 03/2018, pg. 26.
-[[Article 27 GDPR#%20ftnref12|[12]]] Ibid.
-[[Article 27 GDPR#%20ftnref13|[13]]] Guidelines 03/2018, pg. 27.
-[[Article 27 GDPR#%20ftnref14|[14]]] <nowiki>https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Dsk&Dokumentnummer=DSBT_20190307_DSB_D130_033_0003_DSB_2019_00</nowiki>
+Finally, as clarified by Recital 80 GDPR, the representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR (Article 31 GDPR). Direct liability of the representative is limited to the obligations set out in [[Article 30 GDPR|Article 30]] and [[Article 58 GDPR|Article 58(1)(a) GDPR]].<ref>EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 27-28 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>
+=== (5) Continued liability ===
+Article 27(5) GDPR makes it very clear that the controller or processor cannot escape legal liability by designating a representative. Indeed, it states that legal action can be initiated directly against the controller or processor. This notably happened in a case before the Austrian DPA, in which it chose to address a decision directly to a US company instead of its representative in the Netherlands, because “''Article 27(5) GDPR does not entail a transfer of responsibility''”.<ref>Datenschutzbehörde, 7 March 2019, DSB-D130.033/0003-DSB/2019 (available [https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Dsk&Dokumentnummer=DSBT_20190307_DSB_D130_033_0003_DSB_2019_00 here]).</ref>
 ==Decisions==
 → You can find all related decisions in [[:Category:Article 27 GDPR]]