Article 27 GDPR: Difference between revisions

From GDPRhub
Line 208: Line 208:


===(1) Conditions for Applicability===
===(1) Conditions for Applicability===
Where [[Article 3 GDPR|Article 3(2) GDPR]] applies<ref>[https://gdprhub.eu/index.php%3Ftitle=Article_3_GDPR Article 3(2) GDPR] can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behavior of the data subjects within the Union.</ref>, the controller or processor must designate a representative in the Union. The designation must be done in written form.<ref>Some commentators argue that the mandate must be in writing in order to be valid. This would be necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. In this sense, this agreement could not be concluded by simple email. See, ''Martini'', in Paal & Pauly, DS-GVO Art. 27, margin numbers 17-20 (3rd ed., C.H.Beck 2021).</ref> The GDPR does not specify any particular requirements for the representative. Thus, it can be any natural or legal person which is organizationally capable of representing the controller or processor "''with regard to their respective obligations under this Regulation''" (Article 1(17) GDPR).<ref>''Millard, Kamarinou'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).</ref> This includes handling requests from data subjects<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 27, margin numbers 25 (3rd ed., C.H.Beck 2021).</ref> and cooperating with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR.  
Where [[Article 3 GDPR|Article 3(2) GDPR]] applies<ref>[https://gdprhub.eu/index.php%3Ftitle=Article_3_GDPR Article 3(2) GDPR] can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behavior of the data subjects within the Union.</ref>, the controller or processor must designate a representative in the Union. The designation must be done in written form.<ref>Some commentators argue that the mandate must be in writing in order to be valid. This would be necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. In this sense, this agreement could not be concluded by simple email. See, ''Martini'', in Paal & Pauly, DS-GVO Art. 27, margin numbers 17-20 (3rd ed., C.H.Beck 2021).</ref> The GDPR does not specify any particular requirements for the representative.<ref>Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what ''Millard'' and ''Kamarinou'' have labeled as enhancing the “''practical-procedural traction of the GDPR''”. See, ''Millard, Kamarinou'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).</ref> Thus, it can be any natural or legal person which is organizationally capable of representing the controller or processor "''with regard to their respective obligations under this Regulation''" (Article 1(17) GDPR).<ref>''Millard, Kamarinou'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).</ref> This includes handling requests from data subjects<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 27, margin numbers 25 (3rd ed., C.H.Beck 2021).</ref> and cooperating with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR.  


===(2) Exemptions===
===(2) Exemptions===
Article 27 GDPR begins with the blanket requirement that where a controller or processor fulfils the conditions laid out in [[Article 3 GDPR|Article 3(2) GDPR]], a representative established in the Union must be designated in writing. Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what ''Millard'' and ''Kamarinou'' have labeled as enhancing the “''practical-procedural traction of the GDPR''.<ref>''Millard, Kamarinou'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).</ref> 
The requirement to designate a representative is not absolute. Article 27(2) GDPR presents two instances in which the requirement to have a representative does not apply. These are (1) when the processing is occasional and does not include [[Article 9 GDPR]] or [[Article 10 GDPR]] data, and is unlikely to result in a risk to the rights and freedoms of natural persons, and (2) when the processing is done by a public authority or body.
====(a) Processing Which is Occasional and Does Not Include Data in the Sense of [[Article 9 GDPR|Articles 9]] and [[Article 10 GDPR|10 GDPR]]====
Article 27(2)(a) GDPR states that the requirement to designate a representative does not apply if the processing meets three cumulative conditions. First, the processing must be "''occasional''". Second, it must not include on a large scale, "''processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10''". Third, the processing is "''unlikely to to result in a risk to the rights and freedoms of natural persons''".  


The requirement to designate a representative is, however, not absolute. Immediately in Article 27(2) GDPR, exemptions to this requirement are presented.  
The term "''occasional''" has been interpreted by the WP29 to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor.<ref>WP29, position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR, [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/position-paper-derogations-obligation-maintain-records_en p. 2]. This position paper was endorsed by the EDPB.</ref> Similarly, ''Millard'' and ''Kamarinou'' have interpreted the term "occasional" to mean "''non-systematic''" processing, or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular way.<ref>''Millard, Kamarinou'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, p. 595 (Oxford University Press 2020).</ref>


Article 27(2) GDPR presents two instances in which the requirement to have a representative does not apply. These are (1) when the processing is occasional and does not include [[Article 9 GDPR]] or [[Article 10 GDPR]] data, and is unlikely to result in a risk to the rights and freedoms of natural persons, and (2) when the processing is done by a public authority or body.  
The second condition requires that the processing does not use on a 'large scale' the categories of data covered by Articles 9 and 10 GDPR. What meaning should be assigned to the expression 'large scale' is however not entirely clear.<ref>''Hartnung'', in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 9 (Beck 2020, 3rd ed.) (accessed 20 February 2022).</ref> According to Recital 91, it should concern "''a considerable amount of personal data'' [...] ''which could affect a large number of data subjects''".  


====(a) Processing Which is Occasional and Does Not Include Data in the Sense of [[Article 9 GDPR|Articles 9]] and [[Article 10 GDPR|10 GDPR]]====
Finally, the third requirement specifies that the processing must be “''unlikely to result in a risk to the rights and freedoms of a natural person''”. Recital 75 GDPR sets out that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both the likelihood and the severity of the envisioned risk. This includes, among the others, risks of discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.  
Article 27(2)(a) GDPR states that the requirement to designate a representative does not apply if the processing is "occasional". The term has been interpreted by the WP29 to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor.<ref>WP29, position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR, [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/position-paper-derogations-obligation-maintain-records_en p. 2]. This position paper was endorsed by the EDPB.</ref> Similarly, ''Millard'' and ''Kamarinou'' have interpreted the term "occasional" to mean "''non-systematic''" processing,<ref>''Millard, Kamarinou'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, p. 595 (Oxford University Press 2020).</ref> or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular way.  


Article 27(2)(a) GDPR also specifies that the processing must be “unlikely to result in a risk to the rights and freedoms of a natural person”. Recital 75 GDPR specifies that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both the likelihood and the severity of the envisioned risk.  
The unifying factor of the three conditions above seems to be the existence of processing which is in some way 'non-negligible' because of its scale, the data processed or its possible negative consequences. In these circumstances, a point of contact within the EU must be provided and the exemption in Article 27(1)(a) cannot apply.  


====(b) Processing Carried Out by a Public Authority or Body ====
====(b) Processing Carried Out by a Public Authority or Body ====

Revision as of 03:56, 20 February 2022

Article 27 - Representatives of controllers or processors not established in the Union
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 27 - Representatives of controllers or processors not established in the Union


1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

2. The obligation laid down in paragraph 1 of this Article shall not apply to:

(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.

3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

Relevant Recitals

Recital 80: Designated Representative
Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

Commentary of Article 27

The aim of Article 27 GDPR is to ensure that the level of protection afforded to data subjects based in the union is not reduced in instances where non-EU based controllers or processors process their data. It aims to provide a contact point for data subjects, while ensuring simultaneously that there is legal accountability for the processing activities, achieved through the provision of a representative. This representative can be subject to enforcement proceedings in the event of non-compliance with the GDPR. Article 27 GDPR also helps to clarify the scope of obligations that is placed on controllers and processors based outside of the union.

(1) Conditions for Applicability

Where Article 3(2) GDPR applies[1], the controller or processor must designate a representative in the Union. The designation must be done in written form.[2] The GDPR does not specify any particular requirements for the representative.[3] Thus, it can be any natural or legal person which is organizationally capable of representing the controller or processor "with regard to their respective obligations under this Regulation" (Article 1(17) GDPR).[4] This includes handling requests from data subjects[5] and cooperating with the supervisory authorities regarding any action that may need to be taken in order to comply with the GDPR.

(2) Exemptions

The requirement to designate a representative is not absolute. Article 27(2) GDPR presents two instances in which the requirement to have a representative does not apply. These are (1) when the processing is occasional and does not include Article 9 GDPR or Article 10 GDPR data, and is unlikely to result in a risk to the rights and freedoms of natural persons, and (2) when the processing is done by a public authority or body.

(a) Processing Which is Occasional and Does Not Include Data in the Sense of Articles 9 and 10 GDPR

Article 27(2)(a) GDPR states that the requirement to designate a representative does not apply if the processing meets three cumulative conditions. First, the processing must be "occasional". Second, it must not include on a large scale, "processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10". Third, the processing is "unlikely to to result in a risk to the rights and freedoms of natural persons".

The term "occasional" has been interpreted by the WP29 to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor.[6] Similarly, Millard and Kamarinou have interpreted the term "occasional" to mean "non-systematic" processing, or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular way.[7]

The second condition requires that the processing does not use on a 'large scale' the categories of data covered by Articles 9 and 10 GDPR. What meaning should be assigned to the expression 'large scale' is however not entirely clear.[8] According to Recital 91, it should concern "a considerable amount of personal data [...] which could affect a large number of data subjects".

Finally, the third requirement specifies that the processing must be “unlikely to result in a risk to the rights and freedoms of a natural person”. Recital 75 GDPR sets out that when the risk to the rights and freedom of data subjects is being assessed, special consideration should be given to both the likelihood and the severity of the envisioned risk. This includes, among the others, risks of discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.

The unifying factor of the three conditions above seems to be the existence of processing which is in some way 'non-negligible' because of its scale, the data processed or its possible negative consequences. In these circumstances, a point of contact within the EU must be provided and the exemption in Article 27(1)(a) cannot apply.

(b) Processing Carried Out by a Public Authority or Body

The second exemption to the requirement to designate a representative applies if the non-EU controller or processor is a public authority or body. It is up for the supervisory authority to assess on a case-by-case basis what a public authority or body constitutes. However, instances in which a public authority or body in a third country would be monitoring the behaviour of data subjects in the union, or offering them goods or services, are likely to be limited.

(3) Place of Establishment of the Representative

Article 27(3) GDPR states that the representative of the controller or processor shall be established in one of the Member States where the data subject has had goods or services offered to them or has had their behaviour monitored. The EDPB has made the recommendation that “where a significant proportion of data subjects whose personal data are processed are located in one particular Member State […] the representative is established in that same Member State”. The main criterion for establishing where a representative should be designated is the location of the data subjects who are subject to the processing.[9] One way to interpret this is in the event that there are two member states in which processing takes place, the country which has more data subjects who are subject to the processing should be the country in which the representative is established.

(4) Obligations and Responsibilities of the Representative

Article 27(4) GDPR stipulates that the representative shall be responsible for complying with the GDPR in regards to the processing activities that take place. However, the EDPB guidelines on the territorial scope of the GDPR state that the direct liability of the representative is limited to the obligations that are set out in Article 30 GDPR and in Article 58(1)(a) GDPR. Under Article 30 GDPR the representative of the controller or processor must maintain a record of the processing activities done by the controller or processor. However, the controller or processor themselves are responsible for updating the content of the record, and must provide the representative with up-to-date information. At the same time, the representative must be ready to provide this record. The EDPB has also confirmed that the representative must be in a position where they can effectively communicate with data subjects and cooperate with supervisory authorities.[10]

(5) Continued Liability

However, Article 27(5) GDPR makes very clear that the controller or processor cannot escape legal liability solely by virtue of designating a representative. In fact, Article 27(5) GDPR states that legal action can be initiated directly against the controller or processor. Indeed, this happened in a case before the Austrian Data Protection Authority, in which the DPA chose to address a decision directly to a US company, instead of its representative in the Netherlands, because “Article 27(5) GDPR does not entail a transfer of responsibility”.[11]

Decisions

→ You can find all related decisions in Category:Article 27 GDPR

References

  1. Article 3(2) GDPR can be divided into two requirements: first, there must be processing by a controller or processor who is not established in the Union, and second, the processing activities must relate either to the offering of goods or services, or to the monitoring of the behavior of the data subjects within the Union.
  2. Some commentators argue that the mandate must be in writing in order to be valid. This would be necessary to guarantee the authenticity of the mandate and to ensure a certain tangibility of the parties involved. Qualified electronic signature or other equivalent method would also be admissible. In this sense, this agreement could not be concluded by simple email. See, Martini, in Paal & Pauly, DS-GVO Art. 27, margin numbers 17-20 (3rd ed., C.H.Beck 2021).
  3. Though the Article does little to elaborate on the nature of this requirement, such as what the consequences are if this requirement is breached, it is one step towards establishing accountability for non-EU based actors who process data. Indeed, this is what Millard and Kamarinou have labeled as enhancing the “practical-procedural traction of the GDPR”. See, Millard, Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).
  4. Millard, Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, pp. 595 et seq. (Oxford University Press 2020).
  5. Martini, in Paal & Pauly, DS-GVO Art. 27, margin numbers 25 (3rd ed., C.H.Beck 2021).
  6. WP29, position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR, p. 2. This position paper was endorsed by the EDPB.
  7. Millard, Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 27 GDPR, p. 595 (Oxford University Press 2020).
  8. Hartnung, in Kühling, Buchner, DS-GVO BDSG, Article 27 GDPR, margin numbers 9 (Beck 2020, 3rd ed.) (accessed 20 February 2022).
  9. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 26.
  10. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 12 November 2019, p. 26.
  11. Datenschutzbehörde, 7 March 2019, DSB-D130.033/0003-DSB/2019 (available here https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Dsk&Dokumentnummer=DSBT_20190307_DSB_D130_033_0003_DSB_2019_00).