EDPB Guidance on Article 27 Representative

As part of the guidelines on the territorial scope of the GDPR which was released for public consultation by the European Data Protection Board (EDPB) following the Fourth Plenary session, the EDPB issued guidance on the Article 27 representative requirement as well. Companies that are covered by Article 3(2) and are not covered by Article 3(1) or exempt according to the criteria specified in Article 27(2) should closely review the guidance to ensure compliance with this GDPR requirement.

Here is a quick overview of some of the key sections of the guidance on representatives:

The EDPB makes clear that the representative role can be taken on by “a wide range of commercial and non-commercial entities … provided that such entities are established in the [EU].” The representative can be a law firm, consulting company, private company, or other individual/entity. The EDPB also specified that one representative can “act on behalf of several non-EU controllers and processors.”

The EDPB recommends that the representative be located in the member state where a significant proportion of data subjects whose personal data is processed are located, if data subjects are located in more than one country. The representative should remain accessible to data subjects in other locations.

The EPDB recommends that a single individual at a company be designated as the lead contact and person in charge, which is useful to specify in the service contract with the entity.

An external Data Protection Officer can not be the Representative because the DPO would not have a sufficient degree of autonomy, and there would be a possible conflict of interest in enforcement proceedings.

The guidelines specify that controllers that are required to designate a representative and do not disclose to data subjects their representative’s identity would be in breach of their transparency obligations under GDPR.

Obligations and Responsibilities of the Representative

Here is a list of the obligations and responsibilities identified by EDPB:

Must facilitate communications between data subjects and the controller or processor represented.

Must maintain the Article 30 ROPA information along with all accurate and updated information from the company to make available to DPAs if needed.

Perform tasks according to mandate from controller or processor.

Must cooperate with competent supervisory authorities with regard to with regard to information and procedure exchanges to ensure GDPR compliance.

Must be able to community in the languages of the supervisory authorities and data subjects.

The EDPB also notes that regulators may initiate an enforcement action against the representative to impose administrative fines and penalties or otherwise hold representatives liable, though the designation of a representative does not alter the controller or processors responsibilities or liability.

Contact Clarip for CCPA and GDPR Software

The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.

If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.

Still working on GDPR compliance? We understand! Our GDPR software tools offer a range of options from data mapping software, DPIA automation, and cookie management for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.