TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Is Article 27 the GDPR's 'hidden obligation'? Related reading: GDPR: Lost in translation?



As we approach the last few weeks before ‘GDPR Day’ (if I keep calling it that, it’ll catch on…), almost all companies know at least something about the EU General Data Protection Regulation, even if it’s just that they don’t yet know enough! Statistics tell us that few companies will be 100 percent ready, but that almost all companies are now somewhere along their GDPR journey.

At least that’s what is happening in the EU. Outside of the Union, where the GDPR does apply to companies processing personal data of people in the EU, the situation is a little less clear.

The European Commission has done a poor job of notifying the rest of the world that they could face fines in Europe for the manner in which they process personal data, perhaps of the view that the privacy consultant market would be able to push this agenda for them. Certainly, the majority of consultants have been working to educate their non-EU clients, although too often the response is incredulity; why should they worry about a new law in the EU when they have no base of operations in Europe?

One of the prime areas where a lack of knowledge is placing non-EU companies at risk of GDPR fines is the representative obligation under Article 27.

For those unfamiliar with it, Article 27 requires companies that are not established in the EU, but that monitor or process the personal data of people within the EU, to appoint an EU-based representative to act as their Europe-facing point of contact for individuals and local data protection authorities. The purpose of this is simple: It ensures that EU citizens will be able to contact the controllers and processors outside of Europe that hold their personal data, without having the potentially confusing, difficult and costly efforts required to contact them at their base (imagine the situation in which a French citizen is trying to contact a data controller in a less-developed country with an unreliable postal system; the likelihood of them receiving a response within the regulatory response period of a month is very unlikely).

So why is the message on the representative not reaching the companies obliged to appoint one?

The main reason appears to be the lack of information on this role coming out of the EU. Companies outside of Europe that have appointed a privacy consultant will be receiving the benefit of that consultant’s expertise in respect of applying the GDPR to the specifics of their business, but, for companies that have chosen to go it alone, they will largely be basing their preparations on materials coming out of the EU – none of which will mention the representative, because that obligation doesn’t apply to anyone in the EU.

The result? Many companies around the world, even those that are taking seriously their preparations for the GDPR, are going to be in breach of this obligation and in line for a potential administrative fine of up to 10 million euros or 2 percent of global turnover.

Many companies around the world, even those that are taking seriously their preparations for the GDPR, are going to be in breach of this obligation and in line for a potential administrative fine of up to 10 million euros or 2 percent of global turnover.

Another likely reason for the relatively low appointment levels for representatives is the confusion between the role of the data protection officer appointed pursuant to Article 37 (an in-house role directing the company’s privacy and GDPR-compliance program) and the representative appointed pursuant to Article 27, which is appointed in an external role in the EU for that company. This is made considerably worse as a result of foreign language issues – many translations will give the same result for "officer" and "representative," which makes compliance much more difficult for companies based in jurisdictions where the first language isn’t European by origin.

What of the representatives themselves?

Companies offering this service have been slow to appear, mainly because of the liability the role attracts. Under Recital 80 of the GDPR, the representative “should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.” This liability for the failures of their clients is an extraordinary step for the EU to have taken, and while the aim is noble (to ensure that a non-EU company can’t simply walk away without meeting penalties handed down), there is little in the way of precedent for giving such a high risk for an agent of a company. Compare the situation to that of a lawyer, which a third party would likely never be in a position to approach directly if they had suffered loss as a result of that lawyer’s client. With each EU country having some scope to add their own additional flourishes to implementation of the GDPR, there are also situations arising like that in Spain, where their draft Data Protection Act codifying the GDPR specifies that the representative would automatically have joint and several liability with their client for GDPR failures (and any other resulting penalties).

What should a data controller or processor look for in their representative?

Article 27 appears to only require that they be established in one country where the controller or processor has data subjects. However, as the controller/processor, you may want to ask yourself whether a representative in only one country would be capable of performing the role of representing a non-EU controller or processor to people based in an EU country far from that representative (i.e. using a representative based only in Spain may not provide adequate representation for data subjects based in Estonia or Romania). I personally suspect this is an area where the Court of Justice of the EU is likely to side with the individual and follow the intent of Article 27 to provide an effective EU contact location for those companies.

Despite that, the main reason a controller or processor is likely to want a representative with wider coverage is simply the increasingly important "customer experience" factor. If an individual is raising a subject access request with the controller processing their data, it is likely that individual already has concerns about the processing. At times like that, it’s important to make sure those customers are receiving the red-carpet treatment; doing so in the bad times can generate a significant amount of customer loyalty, whereas failing to do so is likely to result in a negative response and potentially a lost customer. In this respect, the representative can be seen as an offshoot of the customer services team for the controller or processor.

Which leads me on to one of the key reasons non-EU companies should consider the appointment of a representative as one of their first steps in their GDPR preparation: It is the obligation for which it is most immediately obvious where a company has failed to meet the requirement.

Which leads me on to one of the key reasons non-EU companies should consider the appointment of a representative as one of their first steps in their GDPR preparation: It is the obligation for which it is most immediately obvious where a company has failed to meet the requirement.

Whereas most GDPR obligations exist in the background where the controller or processor carries out the actual processing, the representative is front and center of the company’s data documentation. Put simply, if a company does not have a base in the EU and does not have details of their representative in their customer-facing privacy notice, it is immediately apparent that it's failed to meet the Article 27 duty. For the EU data protection authorities, spotting this failure is likely a red flag of potential non-compliance elsewhere; conversely, having a representative listed provides a clear indication to the DPAs (and anyone else) that the company is taking their GDPR responsibilities seriously.

There is one final question which I hear from companies outside the EU: “How does the EU think they’re going to enforce the GDPR outside of Europe?”

It’s a fair question, as decisions of the European courts have no weight of precedent outside of the EU. However, principles of international law will apply and the European fine will likely be enforceable outside the EU in most jurisdictions, although a visit to the local courts for their confirmation will probably be required in many cases. There is also a particular reason why it will be seen by non-EU countries as desirable to be able to enforce GDPR fines, which is the desire among the international community to obtain (or keep) an adequacy finding. This status, conferred upon countries deemed by the EU to have equivalent legal protections for personal data to those in the EU, is a very beneficial one for the international commerce of that country, as it allows organizations in that country to receive personal data from the EU without needing to provide evidence of additional measures put in place to protect that data as it passes across international borders. If a country fails to support a fine under the GDPR in its jurisdiction, it is likely to be treated by the EU as evidence of inferior protections for personal data and will impact that country’s assertion that it provides protections equivalent to the EU.

So, if your company or client is based outside the EU and processes the personal data of people in the EU, please ensure you have appointed your data protection representative under Article 27 of GDPR in time for GDPR Day. Don’t let the "hidden obligation" catch you out!

photo credit: Lawrence Wang 王治钧 落地玻璃上的反光+雨幕 Reflection +rain curtain on the windows #上海 #shanghai #shanghaicity #rain #umbrella #onlyiphone #phonepic via photopin (license)


If you want to comment on this post, you need to login.

  • comment Robert Madge • May 3, 2018
    It will take time for the message to sink in...
  • comment Robert Cattanach • May 3, 2018
    To be precise, Article 27 does not apply to "processing which is occasional, does not include, on a large scale, processing of special categories of data ...[Article 9] or processing of personal data relating to criminal convictions ...[Article 10} and is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, context, scope and purpose of the processing" -- perhaps a not-insignificant exception for many modest-sized companies with only a website that processes occasional orders from EU residents and has modest data analytics.
  • comment Peter Miller • May 3, 2018
    Controllers and processors not established in the EU who have concerns about the extent and validity of GDPR’s extraterritoriality might also be considering whether appointment of an Article 27 representative – “mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues relating to processing for the purposes of ensuring compliance with [GDPR]” – amounts to consent to EU and Member State jurisdiction and thus a potential relinquishment of their ability to later challenge GDPR, whether directly or during the attempt to enforce a foreign judgment.
  • comment Lyn Boxall • May 3, 2018
    I am well aware that my clients to whom the GDPR applies need to appoint an EU representative.  And I spent some time earlier this year trying to locate individuals/firms that might provide such services.  I encountered confusion among potential appointees about their potential liability and thus a lack of appetite to take on the role, except at an exorbitantly high price.  (Such pricing is quite understandable when liability is unknown - this is not a criticism of them).  In addition, I have clients with business in all EU Member States without having an establishment in any of them.  There is confusion as to whether the need an EU representative in many, if not all, Member States.  I'm about to re-start the search in the hope that things have developed and changed and I can find a slate of candidates for my clients.  Anyone with suggestions, please contact me and let me know - in Singapore.
  • comment Jennee DeVore • May 3, 2018
    Article 27 uses the term "representative" and not "data protection officer" as discussed in Article 37. I'm concerned that this article may confuse this distinction. The representative is a data protection liaison that must work with the DPO but it does not necessarily need to be the DPO.
  • comment Ryan Costello • May 4, 2018
    I do not believe that Art. 27 was written with the intention of extending liability to EU representatives for the failures of their clients. Article 27 (5) specifically says that the "designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or processor themselves." I believe that language makes it clear that the representative is not "on-the-hook" for GDPR non-compliance on the part of the controller/processor. The fact that Spain seeks to introduce a joint and several liability provision for representatives only reinforces this point, in my view. 
    I do concede that the language of Recital 80 stating that "the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor" does muddy the water somewhat, but I believe the language suggests that the representative should be party to, or present for, those proceedings... the physical stand-in for the controller/processor, as it were... but does not extend liability to the representative for non-compliance. Moreover, recital language is not legally binding, unlike the regulatory text itself.
  • comment Jeroen Terstegge • May 4, 2018
    It’s a hidden, but also pointless obligation (which by the way already existed in the past 23 years). It’s pointless for several reasons: 1) the representative is not the DPO (although it could be), so representatives do not contribute to compliance and fair processing; 2) in the days of internet and e-mail contacting controllers by postal mail is completely outdated; 3) the data protection authorities may issue a fine directly against the representative (see recital 80), so many companies will find it hard to find a representative willing to take the fall for them first and hoping to be indemnified later.
    WhatsApp was forced by the Dutch DPA to appoint a representative in The Netherlands. In court, WhatsApp argued that it -unsurprisingly- couldn’t find one. The court noted that that is not a defense under the law. But this shows the problem. The riskier the company and the larger their turnover, the less likely they will be able to find a representative. On the other hand, the DPA’s enforcement priorities will generally not lie with the low-risk non-EEA companies that have failed to appoint a representative, so in such cases, appointing a representative is just an administrative burden. I expect that we will see a lot window-dressing here, where a shell company will be set up acting a representative that handles any data subject requests and DPA inquiries, but that goes bankrupt as soon as a fine is issued against it.
    The obligation for processors to appoint a representative is also pointless given the fact that data subjects and the DPA should first and foremost contact the controller in the EEA anyway, article 28 already requires that the data processor agreement must stipulate that the processor informs the controller on request that he provides all information relating to the processor’s compliance with the GDPR, and the controller is in principle jointly and severally liable for the processor’s non-compliance (art. 82.2), although he could in theory discharge himself (art. 82.3), but that is very hard to do given the heavy burden placed on the controller by art. 24. So in the end, the most logical way is that the controller acts as the processo’s representative.
  • comment Diana Andrade • May 4, 2018
    Congratulations, your article is excellent! The requirement is very well explained, the challenges of direct liability of the DP Reps and reasons for this being somehow a "hidden obligation" and the imminent risk for companies for not appointing a DP Rep when it's one of the first requirements SA's will look at when verifying compliance.
  • comment Alejandra Brown • May 4, 2018
    I am in the same situation as Lyn Boxall. I haven't been able to find a company in the EU that can represent some of my customers in Canada that do not have a physical presence in the EU, yet the EU is a big market for them. If anyone has some guidance around what specific companies will provide this service, I will appreciate your feedback as well. My email is
  • comment Karn Jani • May 7, 2018
    Good insights Tim! Even though most of us have been busy talking about SARs, DPIAs, PbD, etc., it would not be wrong in assuming that this critical aspect of compliance would have been missed in a majority of compliance exercises/ audits. Having said that, Article 27 leaves a lot for interpretation and does not come out as a prominent 'to-do' item (aptly called 'hidden'). As mentioned in a few comments above, finding a EU representative who would be prepared to bear the burnt of enforcement actions is a tedious exercise, unless there is a guidance available. Recital 80 just makes the job more difficult. Nevertheless, as is the case at present, law firms established within EU could still continue to represent their non-EU clients, while the monetary liability factor would then be re-considered. But are the firms ready to put their neck in?
  • comment Emma Butler • May 8, 2018
    This will also become an issue for UK-based businesses after Brexit. Given the liability, no-one is offering these services, so it's unclear what small businesses are supposed to do.
  • comment Ken Baylor • May 25, 2018
    In the last few weeks a few new services have come online for EU Representation, from all over the EU. However, please choose the location of your EU Rep carefully:
  • comment Jan Lange • Oct 19, 2018
    Hi Tim, very nice article, congratulations! Now, five months after the go live of the GDPR it is quite surprising to see that not many non-EU companies have assigned a representative in the EU. Even most international airlines from non-EU countries that fly into EU do not have any information about a representative in the EU in their privacy notes, despite the fact that they process data of their EU customers on a regular basis (and not „occasionally“). I assume that we need the first rulings and case law in order to wake up companies regarding the EU GDPR requirements. Best regards, Jan from „“
  • comment Cornelia Maria Schmitt • Feb 28, 2019
    This will also be very interesting in the context of Brexit. Companies outside of the EU, but with branches in EU might face that scenario as well unless they can clearly identify and prove that a branch in the EU can be identified as main establishment. Any thoughts?
  • comment Nazeem Patel • Mar 13, 2019
    Its about time that people that needs to work start working...