Article 27 states that EU based data subjects are entitled to have their data protection affairs handled in the EU via parties that are amenable to EU law.

Broken down, this means that Article 27 requires companies that are not established in the EU, yet monitor or process the personal data of people (Data Subjects) within the EU, to appoint an EU-based representative to stand as their point of contact for both individuals and data protection regulators in the EU.

“But, how does this representation affect or even help my business?” you ask.


The purpose and benefit of this is simple: Article 27 representation ensures that EU citizens will be able to easily contact the controllers and processors outside of Europe that hold their personal data, without having the potentially confusing, lengthy and costly efforts which can be required to contact them at their base (Let’s use a small example of an Italian citizen (Data Subject) who wishes to contact a data controller (Business) based in the US.)

In this case as well as many others, The GDPR Representative’s role is to act as point of contact in the EU for your business for any people in the EU on behalf of whom you hold data.


Your representative will be the person whom data subjects will contact if they wish to exercise their rights pursuant to the GDPR.  Your representative will also be the first person the regulators will contact if they happen to receive a complaint from someone in relation to your business. And if you encounter a data protection issue in your business, such as a data breach, your local representative is the person to make this notification on your behalf.

I have acquired a Data Protection Officer. Do I still have to appoint a Representative?

A GDPR Representative for the purposes of Article 27 is different from a Data Protection Officer (DPO). The two roles are distinct and very important in their own right.  If you are required to appoint a DPO for your business and you have done so, this may not fulfill your obligations pursuant to Article 27. Unless your DPO is also based in the EU and designated as your representative there on your behalf in writing, you will also need to appoint a representative separately from the DPO.  In reality, if you are outside the EU, your representative will act as your liaison between your DPO and data subjects and regulators in the EU.

 

To appoint an Article 27 Representative to help your business thrive after the GDPR implementations, it is important to source out a natural person who understands the basics of privacy, your data services and comes with a experienced set of very good communication skills so that you can rely on them communicating effectively with the authorities and data subjects.

 

To avoid penalties that come with non-compliance and gain a deeper understanding of Business and GDPR, Click HERE to appoint Article 27 Representation today.

Read our ultimate guide to Article 27 here.