ASSESSMENT

Take our assessment test to find out if you need to appoint an EU representative

Contact us for a fee quote

Article 27 of the GDPR stipulates that  companies outside of the EU must designate a data protection representative (unless certain limited exceptions apply).

Find out if you need to appoint an EU representative by filling in the assessment test below.

Does your company offer goods or services to natural persons who are in the EU (whether for payment or for free)?

Contact us for a fee quote

European Data Protection Office

EDPO • Avenue Huart Hamoir 71, 1030 Brussels • Belgium

  VAT : BE0689.629.220 • E-mail : info@edpo.com 

Article 27

1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

2. The obligation laid down in paragraph 1 of this Article shall not apply to:

(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

(b) a public authority or body.

3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves

Are there any exceptions to the application of Article 27 of the GDPR to non-EU companies ?

The GDPR does not apply to non-EU companies if they are a public authority or body or if the following cumulative conditions are met:

(i) the company only occasionally processes the personal data of persons in the EU

(ii) the processing does not include the processing on a large scale of special categories of personal data or the processing of personal data relating to criminal convictions and offenses and

(iii) the nature, context, scope and purpose of the processing is unlikely to result in a risk to the rights and freedoms.