IAPP Training · Module 10 - BoK IV.B

Module 10 · The EU representative (Article 27)

Under Article 27, controllers/processors caught by Article 3(2) - those offering goods/services to, or monitoring, people in the EU while not established in the EU - must designate a representative in the EU. The representative is a contact for supervisory authorities and data subjects, in addition to or instead of the controller/processor, without prejudice to legal action against them. Exceptions: processing that is occasional, lacks large-scale special-category/criminal data and is unlikely to result in a risk; and public authorities/bodies.

Article 27: organisations caught by Article 3(2) (offering goods/services to, or monitoring, people in the EU while not established in the EU) must designate a representative in the EU. The EU representative is a contact for supervisory authorities AND data subjects, in addition to or instead of the controller/processor, without prejudice to legal action against the controller/processor.

Exceptions (no representative needed): processing that is occasional, does not include large-scale special-category/criminal data, and is unlikely to result in a risk.
Also exempt: public authorities/bodies.

Common trap

The representative must be addressable by supervisory authorities AND data subjects. Steering SA questions back to a non-EU HQ does not satisfy Article 27.

Key terms - quick answers

What is “EU representative”?

An Article 27 contact point in the EU for organisations caught by Article 3(2) but not established in the EU; addressable by supervisory authorities and data subjects.

What is “Article 3(2)”?

Extends the GDPR to non-EU controllers/processors that offer goods/services to, or monitor, people in the EU.

← Module 10 · The data protection officer (DPO, Articles 37–39)Module 11 · Supervisory authorities & Article 58 powers →