Self-assessment

Find out whether you need to appoint an Article 27 Representative

Take our short self-assessment below (it’s free) to see if your organisation needs to appoint an Article 27 Representative. We can act as your representative.

This questionnaire is designed to give you an informal indication of whether you might need to appoint a representative, and is not intended to provide definitive advice. Click on underlined words to see short definitions.

Definitions

Established

This implies, according to GDPR, “the effective and real exercise of activity through stable arrangements.”  The legal form of such arrangements, whether through a branch or a subsidiary entity, is not necessarily the determining factor.  However some sort of formal, operational, base with a local contact address, would probably be required.

Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal data

Any information relating to an identified or identifiable natural person (a ‘data subject’).  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subjects

An identifiable natural person, i.e. one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Public authority or body

Central and local government, and most publicly-funded bodies such as healthcare, education and the judiciary.  The definition probably does not extend to private education and healthcare, especially where special category data (such as medical records) is concerned. The definition could vary from country to country within the EU.

EU data subjects

Any data subjects located in the EU (of whatever nationality), not just those who are EU nationals.

Occasional

The precise meaning of this is unclear but would probably be interpreted in favour of data subjects.  It is likely to mean something which is more than incidental to your business activities, or without which you would suffer a material negative impact in your activities.

Large scale

The processing of personal data is not considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer.

Special categories

Personal data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, or trade-union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.

Rights and freedoms of individuals

i.e. their rights and freedoms under GDPR.