GDPR compliance guide for online businesses outside of the European Union (Part 2 of 5)

We cover GDPR's Article 27 requirement to appoint an EU representative in depth. We answer questions about the role of the EU representative and how you can comply without breaking the bank.

Article 27 of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, requires businesses outside of the European Union to appoint a representative within the EU if they transact with EU residents.

In this article, we go line-by-line to explain the requirement and additional regulatory guidance to enable you to make as informed a decision as possible. If you aren't compliant just yet, there's no need to panic: we offer an instant solution to appoint your EU representative.

This article is Part 2 of 5 in our series to provide a comprehensive guide for online businesses outside of the European Union to comply with the GDPR.

Subscribe to our newsletter to receive new articles directly in your inbox.


The sections of the GDPR that are of direct relevance to the EU representative requirement are Article 27 regarding the appointment, Article 30 regarding records of processing activities, and Articles 12-23 regarding the rights of data subjects. We also touch on sections of Articles 3, 4, 9, 10, 32, 37, 45, 46, and 49 as they relate to the considerations necessary to achieve overall compliance with GDPR.

Our focus in this part of the guide will be Article 27, and we will dedicate the next two parts to the records of processing activities and data subjects' rights. If you would like to dig deeper for yourself, you can access the official text of the regulation here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

Overview

There are five main points we break down in this article. The misconceptions we encounter the most are businesses thinking they're exempt from the rule or thinking their compliance responsibilities end once they appoint an EU representative. Generally, neither of these is true for online businesses, and it's essential to frame the role of the EU representative appropriately in the context of your overall GDPR compliance.

  1. You must appoint an EU representative if you either offer goods or services to or monitor the behavior of data subjects in the EU.

  2. You are exempt from this requirement if you only occasionally process general categories of personal data or if you are a public authority.

  3. Your EU representative must have a physical presence in the EU.

  4. Your EU representative must be available to address inquiries by EU supervisory authorities and data subjects.

  5. Appointing an EU representative does not absolve you from liability.

Data protection officer vs. EU representative

Before we dive into Article 27, you should be aware that the EU representative is an entirely separate role from that of the data protection officer (DPO) mandated by Article 37. They are required to be independent due to the potential for a conflict of interest in their duties: your DPO cannot serve as your EU representative and vice versa. The EDPB guidance on this point is clear:

The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union.

Although we won't address the DPO requirements in detail here, in general, you are required to appoint a DPO if you:

  • are a public authority other than a judicial court,

  • regularly and systematically monitor the behavior of data subjects as part of your core activities, or

  • process special categories of data or criminal conviction data on a large scale.

A comparison that is useful here is the difference between a single physician's office and a hospital. While the former would not be considered a large scale processing operation, the latter certainly is, and a hospital would be required to appoint a DPO.

Appointing your EU representative per Article 27

Article 27 consists of only five short paragraphs that have been the source of debate and ambiguity for a large number of businesses that are outside of the EU. We aim to clarify them here based on the rule text and additional guidance.

You must appoint an EU representative if you either offer goods or services to or monitor the behavior of data subjects in the EU.

Article 27(1): Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

Article 3(2): This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

In general, if you offer goods or services for delivery to people in the EU, whether physical or digital, you are within the scope of this requirement per guidance by the EDPB.

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

In relation to websites, additional guidance by the EDPB clarified that "online tracking through the use of cookies or other tracking techniques such as fingerprinting" is encompassed by its definition of monitoring behavior.

For apps that are available in the EU, the EDPB guidance is equally clear.

An app developer established in Canada with no establishment in the Union monitors the behaviour of data subject in the Union and is therefore subject to the GDPR, as per Article 3(2)b.

You are exempt from this requirement if you only occasionally process general categories of personal data or if you are a public authority.

Article 27(2): The obligation laid down in paragraph 1 of this Article shall not apply to:

(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

(b) a public authority or body.

The EDPB later addressed the ambiguity in this text with specific examples that apply to most websites and apps. In general, online businesses, by their very nature, rely on "regular and systematic monitoring." This is true for all websites, apps, and e-commerce stores as a result of the broad definition of "personal data" in the GDPR, which extends to internet protocol (IP) addresses.

Article (4)(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Recital (30): Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

As such, the GDPR broadly, and the Article 27 requirement for an EU representative, specifically, applies to any website or app that is offering goods or services in the EU or monitoring the behavior of data subjects that reside there.

"Occasional" vs. "regular and systematic" monitoring

The Article 29 Working Party (WP29), the predecessor to the EDPB (and referencing Article 29 of GDPR's predecessor, the Data Protection Directive) issued further guidance on what constitutes "regular and systematic monitoring."

WP29 interprets ‘regular’ as meaning one or more of the following:

  • Ongoing or occurring at particular intervals for a particular period

  • Recurring or repeated at fixed times

  • Constantly or periodically taking place

WP29 interprets ‘systematic’ as meaning one or more of the following:

  • Occurring according to a system

  • Pre-arranged, organised or methodical

  • Taking place as part of a general plan for data collection

  • Carried out as part of a strategy

"Large scale" processing of special data categories

If you're only processing data occasionally, you may still be subject to the Article 27 requirement if your processing involves large scale processing of special data categories or data related to criminal convictions and offenses. The WP29 recommends that the following factors, in particular, be considered when determining whether the processing is large scale:

  • The number of data subjects concerned - either as a specific number or as a proportion of the relevant population

  • The volume of data and/or the range of different data items being processed

  • The duration, or permanence, of the data processing activity

  • The geographical extent of the processing activity

Article 9(1): Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Article 9(2): Paragraph 1 shall not apply if one of the following applies:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Article 9(3): Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Article 10: Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Your EU representative must have a physical presence in the EU.

Article 27(3): The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

Your EU representative must be available to address inquiries by EU supervisory authorities and data subjects.

Article 27(4): The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

Appointing an EU representative does not absolve you from liability.

Article 27(5): The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

Final words

If you read all of the text up to this point, congratulations, just in case you merely skimmed it, here is the most critical aspect to remember. While most of your compliance activities only concern you and your regulator, Article 27 compliance is very much publicly detectable. You are required to disclose the contact details of your EU representative in your privacy policy, which is a public document, and allows anyone to assess your compliance at any point in time. If the EU representative requirement applies to you and you haven't yet complied, we can help you tighten up your compliance.

Disclaimer

While I've written this article to be as helpful as possible, it cannot and does not contain legal advice. The legal information is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any actions based upon such information, I encourage you to consult with the appropriate professionals. We do not provide any kind of legal advice. The use or reliance of any information contained on this site is solely at your own risk.

If you require legal assistance, I am happy to refer you to an attorney specializing in privacy laws and regulations.