Article 27 Representation
Many companies that are subject to the GDPR, but have no physical presence in Europe often overlook an important requirement - Article 27. Simon Wynn Consulting can help your company with this requirement through our partnership with the European Data Protection Office (EDPO).
Article 27 of the General Data Protection Regulation (GDPR) plays a crucial role in ensuring the effective and compliant handling of personal data in the context of businesses that operate across borders. This overview outlines the requirements for the appointment of a representative by non-European businesses that process the personal data of EU (technically EEA), and UK residents, and how SWC can help your business with this process. Let's first cover the key aspects of Article 27 and its significance.
Scope - Article 27 applies to organizations that are not established in the European Union but process the personal data of EU residents. It is particularly relevant to businesses offering goods or services to EU citizens or monitoring their behavior. The UK and Switzerland also have similar requirements, but with some key differences that we’ll cover later.
Representative Appointment and their Role - Non-EU organizations falling within the scope of the GDPR are required to appoint a representative within the EU. This representative acts as a point of contact for both data protection authorities and individuals whose data is being processed. Once approved, you want to make it clear in your Privacy Notice how to contact your representative.
Accountability - Article 27 enhances accountability by ensuring that non-EU organizations are subject to the GDPR's principles and requirements. The representative plays a pivotal role in ensuring that the organization complies with the regulation, facilitating transparency and accountability in data processing activities.
Enhanced Protection for EU Residents - Appointing a representative ensures that EU residents have a local point of contact for privacy-related matters.
Simplifying Enforcement and Communication - By designating a representative within the EU, authorities can more easily enforce the GDPR against non-compliant organizations. This simplifies the regulatory process, enhances the effectiveness of data protection enforcement efforts, and streamlines the process of addressing inquiries, investigations, and potential breaches.
Compliance Challenges and Considerations
While Article 27 serves a vital purpose, it does present challenges for non-EU organizations. The appointment of a representative involves careful consideration of legal and operational aspects. Organizations must ensure that their representative is adequately equipped to fulfill their role and that the arrangement is well-documented.
Article 27 of the ‘UK GDPR’ is still currently in place, and hence the same requirements apply to companies offering goods or services to individuals in the UK. Note, however, that the pending Data Protection and Digital Information Bill (the DPDI) will likely remove this requirement when and if it passes in 2024.
Do I need an Article 27 Representative?
You probably need to appoint an EU GDPR Representative if:
you are a company based outside the EU/EEA; and
you don’t have an establishment there; and
you offer goods or services to individuals in the EU/EEA (for payment or for free) and/or
you monitor the behavior of these individuals (such as tracking or profiling)
As previously mentioned, these same requirements apply to companies if they offer goods or services to individuals in the UK.
What about Switzerland?
Switzerland has modeled its own privacy regulations on the GDPR through its own Data Protection Act, the FADP. Article 14 of the FADP requires a representative if:
a company processes the personal data of data subjects in Switzerland; and
the data processing is in connection with offering them goods or services in Switzerland or monitoring their behavior; and
the data processing is extensive; and
it occurs on a regular basis, and
it involves a high risk for the personality of such data subjects
Due to the narrower scope around ‘extensive’ and ‘high risk’ data processing a Swiss representative will be necessary in far fewer cases than a representative pursuant to Art. 27 of the GDPR. The provision is mainly aimed at the large U.S. tech companies that offer online services in Switzerland.
How does SWC help organizations with this process?
Through our partnership with the EDPO, we offer EU, UK, and Swiss representation options. In addition to requiring a comprehensive GDPR program, companies that engage representatives need to make sure that it’s clear to their users how to contact their representative, and also provide a Record of Processing Activities (ROPA) that the representative firm will keep on hand to assist with regulatory inquiries.
Article 30(5) provides exceptions to companies with less than 250 staff and who engage in ‘low risk’ processing to not go through the ROPA process, however, this exception doesn’t apply to the Article 27 requirements. We always recommend that companies maintain a ROPA regardless of company size and processing characteristics, however, if you don’t, SWC can help with that process too.
If you've identified the need for Article 27 representation for your company or have requirements for Swiss representation, feel free to reach out to us through our contact form.
DISCLAIMER: We are not lawyers, nor a law firm, and do not engage in the practice of law. Simon Wynn Consulting cannot and does not provide legal advice or legal representation. The guidance contained in this artcle is not intended to be a substitute for a lawyer or professional legal advice.