Article 27 GDPR (Representatives of Controllers or Processors Not Established In The Union)

Article 27 of GDPR: Foreign companies to designate a representative

Foreign companies located outside of the European Union but who process personal data of individuals located in the Europen Union must designate a representative in certain situations in accordance with Article 27 of GDPR.

Designating a representative (Article 27(1) GDPR)

When a foreign company outside of the European Union processes personal data of individuals located in the European Union related to the offering of goods and services or if they are monitoring the behaviour as far as it relates to their behaviour in the EU, then they must designate a representative in the Europen Union.

Exceptions to the obligation to designate a representative (Article 27(2) GDPR)

GDPR provides for some exceptions to when a foreign company acting as a data controller or data processor should designate a representative located in the European Union.

Article 27(2)(a) GDPR outlines the following exceptions based on the following conditions:

  1. When the data processing activity is only occasional
  2. Does not include, on a large scale, the processing of special categories of personal data 
  3. Does not include, on a large scale, the processing of personal data relating to criminal convictions and offences
  4. The data processing does not result in any likely risk to the individual’s rights and freedoms considering the nature, context, scope and purpose of the data processing.

Article 27(2) GDPR exempts public authorities and bodies as well.

Location of the representative (Article 27(3) GDPR)

The foreign data controllers or data processors must appoint a representative who is located in one of the EU countries where personal data is being processed in relation to the sale of their goods or service or with regards to the monitoring of individual behaviour.

Mandate of the representative (Article 27(4) GDPR)

Foreign companies who are required to appoint a representative located in the EU must provide their representative with the mandate to represent them before the supervisory authorities in addition to or instead of the foreign company on all issues relating to data processing and GDPR compliance.

Legal claims against foreign companies (Article 27(5) GDPR)

GDPR makes it clear that regardless of the appointment or designation of a representative in the EU, data controllers and data processors remain fully liable and accountable with respect to legal actions initiated against them.

Recitals applicable to Article 27 of GDPR

Relevant Recitals: 80

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 27 or relevant recitals

None

GDPR Text: Article 27 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)