If your organisation is located outside the EU but is offering goods or services to individuals in the EU, or monitoring their behaviour, and you are processing their personal data for those purposes, then the chances are that you will need to appoint an EU Representative under Article 27 of the EU General Data Protection Regulation (GDPR) if you do not have your own establishment within the EU.
Take our free self-assessment to see if you need an EU representative.
If your organisation is based outside the EU but GDPR applies to you, and you do not have your own establishment within the EU, Article 27 of the GDPR mandates you to appoint a representative within the EU. There are limited exceptions to this requirement.
The function of the representative is to:
hold your Article 30 records of data processing activity
act on your behalf in relation to data protection matters in the EU
act as the first port of call for the local supervisory authorities in relation to compliance action
act as a portal for the receipt of requests from individual data subjects in connection with their data protection rights.
Take our short self-assessment (it’s free) to see if your organisation needs an EU Representative.
We can act as your EU Representative within the EU, and as your UK Representative, if required
We are headquartered in Dublin, Ireland and have offices in the UK and Switzerland
We have the capability to provide representative services in other EU member states and the UK if the majority of your data subjects are located there, and can provide foreign language services.
Our GDPR experts handle queries every day. We are members of the world’s largest information privacy organisation (IAPP).
The role of an EU representative is to fulfil a requirement under Article 27 of the GDPR whereby they represent organisations with no EU presence and act as an interface between them, an organisation’s EU customers, and relevant supervisory authorities.
Article 27 is a clause under the General Data Protection Regulation, more commonly known as GDPR, which requires companies to appoint an EU representative within the EU to act as their point of contact between individuals and local data protection authorities if their company is not established in the EU, but the company monitors or processes the personal data of people based in the EU. This requirement came into force when the GDPR legislation was introduced in May 2018.
You may have heard of terms such as EU representative or Article 27 representative but rest assured they have the same meaning when it comes to GDPR and carry out the same role.
The purpose of having an EU Representative is to make sure that relevant supervisory authorities and data subjects in the EU (eg individuals located within the EU ) can contact controllers and processors of their personal data, which are situated outside of Europe, and to facilitate the legal enforcement of their rights in respect of having such data.
If your organisation is situated outside of the EU but has customers within the EU (eg is processing personal data about data subjects who live in the EU) then the chances are that you will need an EU Representative to cover you under Article 27 of the GDPR.
Our data protection experts have put together a free self-assessment on their website to help you decide whether you need to appoint an EU Representative.
An EU representative is tasked with maintaining a record of the company’s data processing activities and is responsible for acting as an interface between the company and EU data subjects, or the relevant EU supervisory authority. Details of the EU representative must be included in a company’s online privacy policy.
In the event of non-compliance with the GDPR, the EU representative may also be subject to enforcement proceedings.
We can act as your EU representative and offer a free consultation where we will discuss your company’s requirements, confirm whether you need one, and tell you more about our services and the way in which we can help.
The infringement of a company’s EU representative obligation can lead to administrative fines of up to two per cent of annual turnover or €10 million, whichever is higher. It is not a matter which should be overlooked considering how easy it is for relevant data protection authorities to spot non-compliance with the GDPR. Details of an organisation’s EU representative must be included in the privacy policy on a company’s website which is readily available for anyone to access in the public domain. Absence of this information in one’s privacy policy is an ‘easy spot’ for data protection authorities which can enforce fines for non-compliance.
Speak to one of our data protection professionals if you need help with appointing an EU representative. We can act as your EU representative and offer a free consultation to discuss your requirements.