Legal background to the EU representative pursuant to Art. 27 GDPR
The applicability of European data protection law does not depend solely on whether the controller or processor is established within the EU. Organizations without an establishment in the EU are also subject to the requirements of the GDPR, for example if they offer goods or services to data subjects within the EU or monitor their behavior within the EU. In such a case, the GDPR requires the designation of an EU representative pursuant to Art. 27 GDPR.
The intention of the obligation to designate an EU representative pursuant to Art. 27 GDPR is to provide both data subjects and supervisory authorities with a single point of contact in the EU. This enables the supervisory authorities of the EU Member States to exercise sovereignty also vis-à-vis an organization established exclusively in the third country in order to be able to enforce the requirements of the GDPR. Thus, the EU representative pursuant to Art. 27 GDPR is an important instrument to ensure effective enforcement in the interest of data subjects.
The EU representative pursuant to Art. 27 GDPR as a legal obligation
An organization established in a third country requires an EU representative pursuant to Art. 27 GDPR if it:
- does not have an establishment within the EU, but
- offers goods or services to persons in the EU or
- monitors the behavior of persons in the EU (in particular tracking or profiling).
The GDPR provides exceptions from the obligation to designate an EU representative in the case of only occasional processing of less sensitive personal data or if the data processing is carried out by a public body. If no exception applies, an EU representative pursuant to Art. 27 GDPR is mandatory by law. If a required EU representative pursuant to Art. 27 GDPR is not designated, the supervisory authority may enforce a designation and impose a fine.
Or call us: +49 (0)228-227 226-0
Representative function and operational tasks as EU representative pursuant to Art. 27 GDPR
The EU representative pursuant to Art. 27 GDPR serves as a point of contact for data subjects and supervisory authorities on all issues relating to the processing of personal data in order to provide them with a direct contact within the EU.
In addition, the range of tasks of the EU representative pursuant to Art. 27 GDPR includes representing the organization with regard to the legal obligations of the GDPR. This includes, among other things, receiving and forwarding data subject requests (such as asserting the right of access or erasure) or providing the record of processing activities upon request of the supervisory authority.
Scheja & Partners as EU representative pursuant to Art. 27 GDPR of your organization
As an internationally operating law firm, our specialized lawyers exclusively advise in the area of data protection law. We are also available to act as the EU representative pursuant to Art. 27 GDPR for organizations that are not established in the EU.
Or call us: +49 (0)228-227 226-0
EU representative pursuant to Art. 27 GDPR: The most frequent questions
Below we have answered the most frequently asked questions about the EU representative pursuant to Art. 27 GDPR:
The EU representative pursuant to Art. 27 GDPR is defined in the GDPR. Accordingly, he is "a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation". The representative performs representative tasks of the organization within the EU and assists them in complying with the requirements of the GDPR.
A non-European organization requires an EU representative pursuant to Art. 27 GDPR if it does not have an establishment in the EU, but either offers goods or services to persons within the EU, whether in return for payment or free of charge, or monitors the behavior of persons within the EU (in particular through tracking and profiling).
The EU representative pursuant to Art. 27 GDPR serves, on the one hand, as a point of contact for data protection in Europe for the employees of the non-European organization. At the same time, he is the contact person for European and national supervisory authorities as well as for the data subjects whose personal data the organization processes. Furthermore, the representative provides support in fulfilling the obligations of the GDPR. This includes, for example, receiving and forwarding data subject requests and providing the record of processing activities at the request of the supervisory authority.
European data protection law is intended to ensure a uniform level of data protection within the EU in order to comply with the protection of personal data under fundamental law. In order to do justice to this protection, also with regard to advancing digitalization, the GDPR provides for the so-called market place principle. It is of course permitted for non-European organizations to process personal data of European citizens. However, they then fall within the scope of the GDPR and may have to designate an EU representative pursuant to Art. 27 GDPR.
If an EU representative pursuant to Art. 27 GDPR is required in accordance with the legal requirements, the non-European organization is obligated to designate one. In the event of a breach of the obligation to designate a representative, the competent supervisory authority may order the designation and could also impose a fine of up to 10 million euros or up to 2% of the total annual turnover generated worldwide in the previous fiscal year.