Frequently asked questions

Must you designate an Art. 27 EU Rep?

An organization not established in the EU needs to nominate an Art. 27  EU Rep if it processes personal data of natural persons in the EU and the processing activities relate to

• offering goods or services to persons in the EU, irrespective of payment
• monitoring a person’s behaviour that takes place within the EU

UNLESS processing is only occasional, does not include, on a large scale, the processing of sensitive personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or processing personal data relating to criminal convictions and offences, and the processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or is a public authority or body.

Is Art. 3(1) ‘establishment’ triggered?

Organisations not established in the EU who have designated in writing an Art. 27 EU Rep do not fall within the scope of Art. 3(1).

This means that the presence of the Art. 27 EU Rep within the EU does not constitute an ‘establishment’ of a controller or processor by virtue of Article 3(1).

Can a DPO be the Art. 27 EU Rep?

The data protection officer (DPO) role is incompatible with the Art. 27 EU Rep role because the Art. 27 EU Rep must follow the data controller’s direct instructions, which might come from the DPO.

Furthermore, DPOs must be able to perform their tasks in an independent manner within their organisation. This excludes receiving direct instructions regarding the exercise of their tasks. The Art. 27 EU Rep is explicitly designated by a written mandate to act on behalf of the organisation with regard to its GDPR obligations, which will include written instructions.

What are the consequences for not having an Art. 27 Rep in the EU?

Organisations subject to GDPR Article 27 could be reprimanded by EU data protection authorities or alternatively be ordered to cease processing personal data of EU-based individuals.

The administrative fine for a breach of Article 27, is Two (2%) per cent of global turnover or Ten Million Euros (EUR 10,000,000), whichever is greater.

Legal proceedings may be brought by NGOs representing EU individuals claiming organisations infringed the GDPR and exercise the right to receive compensation on the individual’s behalf per Articles 80-83.

Can clients shift fines for breach of GDPR onto their Art. 27 EU Rep?

The European Data Protection Board (EDPB) guideline dated November 2018 noted that Art. 27 EU Reps can face enforcement actions in the same way as controllers and processors, including the possibility to impose administrative fines and penalties, and to hold the Art. 27 EU Rep liable.

However, this does not mean that clients just shift their liability onto their Art. 27 EU Reps.

Recital 80 states: “The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”

What about non-English languages?  

The European Data Protection Board (EDPB) indicated in its November 2018 guideline that the representative should be available to communicate with data subjects and supervisory authorities in their languages. They can rely on a team to communicate in the local language and as required by local law.  

 Most EU member state residents and supervisory authorities are comfortable communicating in the English language.  

 English is a recognised language along with Ghaeilge, Ireland’s official national language.

Why an Art.27 Rep in Ireland

The Irish Data Protection Commission is highly respected around the globe. It is experienced in addressing and resolving very complex data privacy issues.

Art. 27 EU Rep for in every EU country?

Organisations are only required to have one Art. 27 EU Rep, as per Article 27(3) which foresees that representatives ‘shall be established in oneof the Member States where the data subjects… are.’

The European Data Protection Board in their November 2018 guideline on territoriality indicated that the Art. 27 EU Rep must remain easily accessible for data subjects in EU countries where the Art. 27 Rep is not established.

Organisations focusing on data subjects located in multiple EU countries where diverse languages are spoken, may wish to designate their Art. 27 EU Rep in a member state where English is a recognised language.

Our GDPR Art 27 Rep fee depends on their role (controller or processor), type/volume of personal data, processing location, EU countries in-scope, internal capability and GDPR compliance maturity. Our monthly fees start at €49 and are customised for organisations processing vast quantities of personal data or involves novel uses of personal data, in particular Generative AI, Large Language Models, and biometric data. Our fees exclude extraordinary services (e.g., data protection consulting, translations, data breach response)