No. Organisations that designate Art. 27 Reps do not fall within the scope of Art. 3(1).
This means that the presence of the Art. 27 Rep within the UK does not constitute an ‘establishment’ of a controller or processor as described in Article 3(1).
No. The data protection officer (DPO) role is in direct conflict with the Art. 27 Rep role as the Art. 27 Rep must follow the data controller’s direct instructions, which may come from the DPO creating a conflict of interest.
Furthermore, DPOs must be able to perform their tasks in an independent manner within their organisation. This excludes receiving direct instructions regarding the exercise of their tasks. The Art. 27 Rep is explicitly designated by a written mandate to act on behalf of the organisation with regard to its GDPR obligations, which will include written instructions.
Fines. Organisations subject to GDPR Art. 27 could be reprimanded by data protection authorities or alternatively be ordered to cease processing personal data of UK based individuals.
The administrative fine for a breach of Art. 27, is the greater of either Two (2%) per cent of global turnover or Eight Million Seven Hundred Thousand Pounds (£8,700,000).
Legal proceedings may be brought by NGOs representing UK individuals claiming organisations infringed the GDPR and exercise the right to receive compensation on the individual’s behalf per Articles 80-83.
No. The European Data Protection Board (EDPB) guideline dated November 2018 noted that Art. 27 Reps can face enforcement actions in the same way as controllers and processors, including the possibility to impose administrative fines and penalties, and to hold the Art. 27 Rep liable but this does not mean that clients just shift their liability onto their Art. 27 Reps. Specifically, GDPR recital 80 states:
“The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”