What is GDPR Article 27?

In this article Chalmin Data Privacy look to provide the answer to the question, ‘What is GDPR Article 27?’

Article 27

With the end of the transitional period (31st December 2020) looming, you will be interested to learn that Article 27 of the General Data Protection Regulation requires that Organisations that process EU residents’ data, but that are established outside of the EU, must formally appoint a representative under Article 27 of the GDPR in the European Union to represent them on data protection matters.

Processing personal data

If you are processing personal data connected to:

(A) The offering of goods or services, regardless of whether payment is required, to persons in the EU


(B) The monitoring of such person’s behaviour, if that behaviour takes place in the EU

then under Art. 27 (1) GDPR, you must designate in writing a representative in the EU.

‘Representative’ here means a natural or legal person established in the EU who, designated by the controller or processor in writing, represents the controller or processor with regard to their respective obligations under the GDPR.

For example, if you are a UK company not domiciled in the EU after December 2020, the processing of the data of EU citizens that is connected with the provision of goods or services within the EU, then an EU- Based Representative is necessary.

Case example

A recent case in Austria against a US company, pursuant to Art. 27 (4) GDPR highlighted some key points around EU Representatives:

  • Because the US company was based outside the EU, but their business was involved in the sale of goods to EU citizens, an EU- Based Representative was needed
  • Therefore, the EU- Based Representative was a necessary conduit for the proceedings, but the US company was still the liable party. Accordingly, the authority stated that, ‘Pursuant to Art. 27 (5) GDPR, the present decision of the data protection authority is directed against the [US company]’

The European Representative has several key responsibilities:

  • Maintaining records: The EU- Based Representative must maintain records of processing activities for the non-EU based company (which is the one that has to prepare and provide such records, pursuant to Article 30)
  • Co-Operation and Liaison with supervisory authorities: The nominated EU- Based Representative, as shown in this case, is usually the first point of contact in case of a breach, and they must co-operate with the supervisory authorities in the EU

Chalmin Data Privacy understand that data protection is essential to an organisation’s reputation and can provide the help to support you in conducting your business in a transparent and compliant manner. You can find Chalmin Data Privacy on THE LIST and visit them at Chalmin Data Privacy