Article 27 of the GDPR is crucial for non-EU companies that handle data from EU citizens. If your company offers goods or services to EU citizens or monitors their behavior, you must comply with this rule. Here is a brief overview:

• Who must comply: Non-EU companies that offer goods or services in the EU or monitor EU citizens.
• What is required: Appointment of an EU-based data representative to communicate with data protection authorities and EU citizens.
• Exemptions: Occasional data processing, no processing of sensitive data, and no significant risks to the rights of EU citizens.

Understanding these basics will help you take the right steps to comply with the GDPR and avoid heavy fines. Read on to find out more about the appointment of an EU representative and the requirements of Article 27 of the GDPR.

Article 27 of the GDPR is crucial for non-EU companies that process data from EU citizens. Let us explain it simply.

Applicability of Article 27

Who must appoint a representative?

Article 27 applies to controllers and processors who are not based in the EU but still process personal data of individuals in the EU. This can happen in two main scenarios:

• Offering goods or services: If you sell products or services to EU citizens, even if they are free of charge, this article applies to you.
• Behavior monitoring: If you track or monitor the behavior of EU citizens, for example through cookies or analytics, you also fall under this rule.

Legislative text

The legal text of Article 27 states that, if Article 3(2) applies, the controller or processor must appoint a representative in writing. This representative acts on behalf of the non-EU company in the EU.

Written designation

An EU representative must be appointed in writing. This is critical as it serves as legally binding documentation, certifying that the agent is authorized to act on your behalf.

Not every non-EU company needs to appoint a representative. Here are the exceptions:

• Occasional processing: If your data processing activities are occasional, you could be exempted. But what does “occasionally” mean? It means that processing is neither regular nor systematic.
• Special categories of data: If your processing does not include special categories of data (such as health data) or data relating to criminal convictions, you could be exempted.
• Low risk: If your processing is not likely to pose a risk to individuals' rights and freedoms, you may not need to appoint a representative. This includes taking into account the nature, context, scope, and purposes of the processing.
• Public authorities: Public authorities or institutions are also exempted from this requirement.

Sample scenario
Imagine running an e-commerce store in the USA and occasionally receiving orders from EU customers. If these orders are rare, and you don’t process sensitive data, you could be exempt from appointing an EU representative.

By understanding these requirements and exceptions, you can assess whether you need to appoint an EU representative and ensure compliance with Article 27 of the GDPR.

Main Tasks

An EU representative acts as a liaison between your company and data protection authorities as well as data subjects in the EU. Their primary role is to ensure seamless communication and compliance with GDPR regulations.

Here are the main tasks:

• Point of contact: The EU representative serves as the primary contact for all GDPR-related inquiries. This includes questions from data subjects about their data and from data protection authorities about compliance.
• Legal documents: The representative receives and sends legal documents on behalf of your company. This includes handling official communications from EU authorities and data subjects.
• Processing directories: The EU representative must maintain records of processing activities. These lists should be up to date and easily accessible to supervisory authorities.
• Observance: The representative ensures that your company meets GDPR requirements, including cooperation with data protection authorities and protecting the rights of data subjects.

Difference Between EU Representative and Data Protection Officer (DPO)

Both the EU representative and the Data Protection Officer (DPO) are crucial for GDPR compliance, but they have different responsibilities.

Key Differences:

• Legal Responsibility:
  • The EU representative serves as a point of contact for supervisory authorities and data subjects when a non-EU company processes personal data.
  • Authorities or affected persons can contact and involve the EU representative in legal proceedings.
  • The primary responsibility for GDPR compliance remains with the company, but in some cases, the EU representative may be held liable for non-cooperation or failure to fulfill their obligations.
  • The DPO, however, cannot be held legally responsible for GDPR violations.
• Conflict of Interest:
  • The DPO must act independently and cannot have conflicting roles within the company. Their role is to advise on GDPR compliance and improve data protection practices.
  • The EU representative, in contrast, has a more legal function and serves as a contact person for EU authorities, ensuring compliance.
• Separate Roles:
  • Ideally, these roles should be filled by different individuals or entities to avoid conflicts of interest.
  • The DPO focuses on data protection law and data subjects, ensuring compliance within the company.
  • The EU representative acts as an external representative, ensuring compliance with EU authorities and addressing inquiries from affected individuals.

By understanding these responsibilities and differences, you can ensure that your organization is well-prepared to meet GDPR requirements.

‍

Qualifications to look out for

Appointing an EU representative is crucial for GDPR compliance. Here’s what you should watch out for:

• Written designation: The appointment must be made in writing. This formalizes the relationship, sets clear expectations, and is a legal requirement under Article 27 GDPR. It ensures that the representative is officially recognized.
• EU member state: The representative must be based in an EU member state where your data subjects are located. This ensures they are accessible to both data subjects and regulatory authorities.
• Contact details: The representative’s contact details must be easily accessible to affected persons and authorities. This includes providing a physical address, phone number, and email address.
• Legal responsibility: The EU representative serves as a point of contact for supervisory authorities and data subjects. However, the primary responsibility for GDPR compliance remains with the company. The EU representative may be held liable for breaches, particularly if they fail to fulfill obligations or do not cooperate with authorities.
• GDPR expertise: Choose a representative with extensive knowledge of GDPR. They should be able to navigate complex regulations and advise your organization on compliance issues to avoid costly mistakes.
• Multilingual communication: Since the representative will communicate with affected persons and authorities in different EU member states, they should speak multiple languages. This ensures clear and effective communication, reducing misunderstandings.

By focusing on these qualifications, you can appoint an EU representative who helps your company comply with GDPR effectively.

Navigating the complexities of GDPR compliance can be challenging, particularly for non-EU companies. That's where we come in. At SIDD, we specialize in data protection advice and offer tailored solutions to ensure that your company meets all requirements of Article 27 of the GDPR.

Our Priverion SaaS platform is designed to simplify your compliance journey. It enables you to efficiently document data protection and information security, manage risks and react to changes. Whether you need a GAP analysis or a full implementation, our platform has it all covered. In addition, thanks to multilingual capabilities, you can work together seamlessly in different languages, making language barriers a thing of the past.

We are also proud of our ISO27001 expertise. That means you can trust us to implement robust information security measures that meet international standards. Our team is very familiar with GDPR guidelines and can act as your EU representative to ensure compliance and effective communication with data subjects and regulatory authorities.

Partnering with SIDD gives you access to a team of experts dedicated to protecting your data and complying with the GDPR. Want to make GDPR compliance easy and hassle-free? Contact us today to get started.

‍