Frequently Asked Questions

If you have any specific questions please contact us directly on +44 753 414 7975

Category: Obligation to Designate an Art. 27 UK Rep

Must you designate an Art. 27 Rep?

Yes, if your organisation isn’t established in the UK  and your processesing* activities relate to:
  • offering goods or services to persons in the UK, irrespective of payment
  • monitoring a person’s behaviour that takes place within the UK
*UNLESS processing is only occasional, does not include, on a large scale, the processing of sensitive personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or processing personal data relating to criminal convictions and offences, and the processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or is a public authority or body.

Is Art. 3(1) ‘establishment’ triggered?

No. Organisations that designate Art. 27 Reps do not fall within the scope of Art. 3(1).

This means that the presence of the Art. 27 Rep within the UK does not constitute an ‘establishment’ of a controller or processor as described in Article 3(1).

Can a DPO also be the Art. 27 Rep?

No. The data protection officer (DPO) role is in direct conflict with the Art. 27 Rep role as the Art. 27 Rep must follow the data controller’s direct instructions, which may come from the DPO creating a conflict of interest.

Furthermore, DPOs must be able to perform their tasks in an independent manner within their organisation. This excludes receiving direct instructions regarding the exercise of their tasks. The Art. 27 Rep is explicitly designated by a written mandate to act on behalf of the organisation with regard to its GDPR obligations, which will include written instructions.

Category: Administrative Fines

What are the consequences for not having an Art. 27 Rep?

Fines. Organisations subject to GDPR Art. 27 could be reprimanded by data protection authorities or alternatively be ordered to cease processing personal data of UK based individuals.

The administrative fine for a breach of Art. 27, is the greater of either Two (2%) per cent of global turnover or Eight Million Seven Hundred Thousand Pounds (£8,700,000).

Legal proceedings may be brought by NGOs representing UK individuals claiming organisations infringed the GDPR and exercise the right to receive compensation on the individual’s behalf per Articles 80-83.

Can clients shift fines for breach of GDPR onto their Art. 27 Rep?

No. The European Data Protection Board (EDPB) guideline dated November 2018 noted that Art. 27 Reps can face enforcement actions in the same way as controllers and processors, including the possibility to impose administrative fines and penalties, and to hold the Art. 27 Rep liable but this does not mean that clients just shift their liability onto their Art. 27 Reps. Specifically, GDPR recital 80 states:

“The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”

Why an Art.27 Rep in UK

The U.K. Information Commissioner’s Office is highly respected around the globe. It is experienced in addressing and resolving very complex data privacy issues.