FAQS

Frequently asked questions

Category: Obligation to Designate an Art. 27 EU Rep

Must you designate an Art. 27 Rep?

Must you designate an Art. 27 Rep?

Yes, if your organisation isn’t established in the EU or UK  and your processesing* activities relate to:

  • offering goods or services to persons in the EU or UK, irrespective of payment
  • monitoring a person’s behaviour that takes place within the EU or UK

*UNLESS processing is only occasional, does not include, on a large scale, the processing of sensitive personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or processing personal data relating to criminal convictions and offences, and the processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or is a public authority or body.

Is Art. 3(1) ‘establishment’ triggered?

Is Art. 3(1) ‘establishment’ triggered?

No. Organisations that designate Art. 27  Reps do not fall within the scope of Art. 3(1).

This means that the presence of the Art. 27 Rep within the EU or UK does not constitute an ‘establishment’ of a controller or processor as described in Article 3(1).

Can a DPO also be the Art. 27 Rep?

Can a DPO also be the Art. 27 Rep?

No. The data protection officer (DPO) role is in direct conflict with the Art. 27 EU Rep role as the Art. 27 EU Rep must follow the data controller’s direct instructions, which may come from the DPO creating a conflict of interest.

Furthermore, DPOs must be able to perform their tasks in an independent manner within their organisation. This excludes receiving direct instructions regarding the exercise of their tasks. The Art. 27 EU Rep is explicitly designated by a written mandate to act on behalf of the organisation with regard to its GDPR obligations, which will include written instructions.

Category: Administrative Fines

What are the consequences for not having an Art. 27 Rep?

What are the consequences for not having an Art. 27 Rep?

Fines. Organisations subject to GDPR Art. 27 could be reprimanded by data protection authorities or alternatively be ordered to cease processing personal data of EU & UK based individuals.

The administrative fine for a breach of Art. 27, is the greater of either Two (2%) per cent of global turnover or Ten Million Euros (EUR 10,000,000). the penalty in sterling I set but the Bank of England on the day the UK data protection authority’s penalty notice is given.

Legal proceedings may be brought by NGOs representing EU individuals claiming organisations infringed the GDPR and exercise the right to receive compensation on the individual’s behalf per Articles 80-83.

Can clients shift fines for breach of GDPR onto their Art. 27 Rep?

Can clients shift fines for breach of GDPR onto their Art. 27 Rep?

No. The European Data Protection Board (EDPB) guideline dated November 2018 noted that Art. 27 Reps can face enforcement actions in the same way as controllers and processors, including the possibility to impose administrative fines and penalties, and to hold the Art. 27 Rep liable but this does not mean that clients just shift their liability onto their Art. 27 Reps. Specifically, GDPR recital 80 states: “The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”

Category: Language & Location Options

What about non-English languages?

What about non-English languages?  

The European Data Protection Board (EDPB) indicated in its November 2018 guideline that the representative should be available to communicate with data subjects and supervisory authorities in their languages. They can rely on a team to communicate in the local language and as required by local law.  

 Most EU member state residents and supervisory authorities are comfortable communicating in the English language.  

Why an Art. 27 EU Rep in U.K?

Why an Art.27 Rep in U.K.

The U.K. Information Commissioner’s Office is highly respected around the globe. It is experienced in addressing and resolving very complex data privacy issues.

Art. 27 EU Rep for in every EU country?

Art. 27 EU Rep for in every EU country?

Organisations are only required to have one Art. 27 EU Rep, as per Article 27(3) which foresees that representatives ‘shall be established in one of the Member States where the data subjects… are.’

The European Data Protection Board in their November 2018 guideline on territoriality indicated that the Art. 27 EU Rep must remain easily accessible for data subjects in EU countries where the Art. 27 Rep is not established.

Organisations focusing on data subjects located in multiple EU countries where diverse languages are spoken, may wish to designate their Art. 27 EU Rep in a member state where English is a recognised language.