GDPR Representative Requirement in Article 27 for Non-EU Businesses
Article 27 of the GDPR requires non-EU businesses to designate in writing a representative in the European Union unless one of the specified exemptions applies. This has been called by many the “hidden obligation” of the GDPR. The GDPR requirement in Article 37 for a data protection officer is frequently discussed, but it is this representative requirement that could ultimately trip up many non-EU businesses simply because it hasn’t received nearly as much publicity or focus.
The representative requirement applies to those businesses for which Article 3(2) is applicable. In other words, it applies to controllers and processors that are not located in the EU and are processing personal data of data subjects in the EU involving either the offering of goods / services or the monitoring of behavior happening in the EU. It does not apply to those organizations which have been established in the European Union and are within the scope of GDPR due to Article 3(1).
The representative requirement creates a contact point in the European Union for the supervisory authorities and data subjects rather than require them to contact the company at its base of operations. The representative is empowered as an additional or alternative point of contact for the supervisory authorities and data subjects on all issues involving GDPR compliance relating to processing.
The representative must be located in one of the Member States where the data subjects who are at the center of the processing are located. Article 27(3) prohibits the representative from being established in a country where the data subjects whose personal data are being processed are not located. In other words, if the personal data collected by a company only involves individuals in Paris, then the representative must be located in France. If personal data is collected from people in Germany and France, then the controller or processor can designate a representative in either country.
There are two cases in which a non-EU organization covered by Article 3(2) does not need to designate an EU representative. The first is a public authority or body, which is not going to apply to nearly all businesses. The second exemption is for occasional processing that is unlikely to result in risks to the rights and freedoms of natural persons. The exemption does not apply if it involves large scale processing of data covered by Article 9(1) or Article 10.
Another alternative for many large U.S. companies to the representative requirement would be to create a subsidiary in the European Union. As long as the subsidiary conducts any transactions with the parent company at arms length, and the parent is neither a controller or processor under the GDPR because all personal data is collected and processed by the subsidiary (who is located in Europe), then no EU representative is needed as the business would fall within Article 3(1) rather than Article 3(2).
Just like Article 28 requires written data processor agreements, Recital 80 says that there should be an explicit written mandate providing authority to the representative to act on behalf of the controller or processor with regard to its GDPR obligations. Recital 80 also indicates that the representative should perform its tasks according to the mandate given to it by the controller or processor, and cooperate with the supervisory authorities with regard to any action taken to ensure GDPR compliance.
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.