Mona Patel Partner
Data Protection - Do we need to appoint a GDPR article 27 representative in the EU?
What is 'an article 27 representative'?
Under article 27 of the EU GDPR[¹], a representative is a natural or legal person appointed to represent controllers or processors not established in the EU (an “EU Representative”). To be established in the EU means you have a branch, representative office or other unincorporated presence there.
Does my organisation need to appoint a EU Representative?
The EU GDPR requires your organisation to appoint an EU Representative in the EU where it is either a controller or processor that processes the personal data of data subjects in the EU and your organisation does not have an establishment in the EU.
Now that a Brexit trade deal has been agreed, organisations that are only established in the UK will need to appoint an EU Representative if they offer or intend to offer goods or services or monitor the behaviour of individuals in the EU.
There are exceptions to the requirement where:
- the organisation is a public authority or body;
- data processing is only occasional;
- data processing presents a low risk to the data protection rights of individuals;
- data processing does not involve special category data; or
- data processing does not involve large scale processing.
It is worth noting that a similar requirement applies to organisations not established in the UK but who are offering goods or services to, or monitoring the behaviour of, individuals in the UK. Such organisations will be required under the UK GDPR[²] to appoint a UK representative.
What are the responsibilities of the EU Representative?
The purpose of an EU Representative is essentially to act as the local ‘point of contact’ for both data protection supervisory authorities and data subjects.
Your EU Representative is responsible for:
- Facilitating communication with your data subjects
This allows the data subject to effectively exercise their data protection rights e.g. passing on a data subject’s subject access request to you. The EU Representative is not responsible for acting upon a data subject’s request, this remains your responsibility.
- Keeping a record of your processing activities
This is a joint responsibility between your EU Representative and you. The content of the record remains your responsibility and you must keep your record of processing activities up to date. You must also provide any updates to your EU Representative so they can keep their copy of the record up to date.
- Receiving communications from EU supervising authorities/regulators
Local regulators can contact your EU Representative directly to discuss European data protection matters. Your representative will forward these communications on to you and is responsible for replying on your behalf in accordance with your instructions.
What should UK organisations consider when appointing an EU Representative?
- The EU Representative can be an individual or a company/organisation established in the EEA.
- Ideally the EU Representative should be established in a jurisdiction in which one or more data subjects whose data is being processed reside. Only one EU Representative needs to be appointed even if your organisation offers goods/services or monitors the behaviour of data subjects in multiple countries in the EU. However, it would be sensible to appoint a representative who is (i) easily accessible to the data subjects in all those countries; and (ii) able to communicate in the language used by the data subjects and supervisory authorities of each of those countries.
- Appointments should be in writing and should document clearly the terms of the appointment and obligations of the EU Representative. This can be done by way of service contract.
- The EU Representative should be given sufficient information about the personal data which your UK organisation is processing. This is important because the representative must be able to (i) represent your organisation regarding its obligation under the EU GDPR; and (ii) ensure that there is adequate communication with individuals and data protection authorities in the EU to ensure your organisation complies with the EU GDPR. Also, whilst the EU Representative is not liable for the failures of the UK organisation it is representing, it does have its own obligations, and will need to understand the nature of the processing being carried out in order to comply with those.
- Once you have made the appointment, make the information relating to the EU Representative publicly available. Do this by updating your privacy notices. Also, make sure that the privacy notices are easy to access.
Unlike with data transfers, there is no grace period which applies now the transition period has expired. Your organisation should therefore consider its position and act now to get an appropriate EU Representative in place.
Please contact the authors of this article for advice on whether you need to appoint an EU Representative, assistance with preparing or reviewing an EU representative agreement or drafting amendments to your privacy notices to reflect your appointment of the EU Representative.
The above does not constitute legal advice nor does it consider a complete list of issues to consider in the context of the EU GDPR or UK GDPR. Should you have any queries, please do not hesitate to contact the authors of this article or your usual contact at Ince.