The General Date Protection Regulation (GDPR) made its debut on the global privacy stage in 2018, and now, three years later, most U.S. companies doing business in the EU are well-aware of the regulation’s main provisions and their daily operational impact. However, the GDPR’s rules are expansive; and as a result, some of its “lesser known” articles have been overlooked by a number of smaller companies with limited in-house privacy resources.
One such provision is Article 27 which requires the appointment of an EU representative when companies processing the personal data of EU residents are either not based or do not have any physical presence in the EU. The purpose of an EU representative is to establish a point of contact for questions and investigations for GDPR-bound organizations located outside the EU.
The lack of enforcement to date of Article 27 has no doubt played a role in many decisions to assume the risk of noncompliance. However, a recent decision by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) will likely cause a shift in this risk calculation. On May 12, 2021, the Dutch DPA fined a Canadian company, Locatefamily.com, €525,000 for failure to appoint an EU representative. The company was first investigated by the Dutch DPA after receiving complaints from Dutch residents about the company’s failure to comply with their data erasure requests. In the course of their review, the DPA found that the company had neither a physical location nor did it qualify for one of Article 27’s limited exceptions.
When an EU Representative is NOT required
Exemptions from the Article 27 requirement are allowed for non-EU-based companies who (1) only process personal data occasionally, (2) do not process, on a large scale, “sensitive” personal data, and (3) are engaging in processing activity that is unlikely to pose a risk to the rights of the individuals. In the case of Locatefamily.com, the Dutch DPA explained that the company processed EU personal data more than incidentally, and therefore, the exemption did not apply.
If an organization meets all of the above requirements and is eligible for the exception, it must document the decision and the reasoning for not appointing an EU representative. Failure to appoint a representative where there was an obligation to do so may result in fines of up to 10 million euros or 2% of the organization’s total worldwide annual turnover.
Choosing an EU Representative
The Dutch DPA decision serves as a valuable reminder about the importance of Article 27 compliance. If your organization does not qualify for an exemption to Article 27, it is recommended that you select an EU representative located in the EU member state where the individuals whose personal data is being processed reside. In the case of personal data from EU residents of many different member states, it is only necessary to appoint an EU representative in one member state. Considerations in choosing a member state should include what the native language is, how much data the company processes in that member state, and the individual rules and regulations of that member state.
Additional Benefit of an EU Representative
Most U.S. companies processing the personal data of EU residents from the U.S. are subject to agreements with their vendors and customers containing data processing clauses (usually in the form of a “DPA”, i.e. “Data Processing Agreement” or “Data Processing Addendum” to a commercial agreement) and/or standard contractual clauses (SCCs). Since both sets of clauses must be governed by EU or EU Member State law (per Article 28 the GDPR for data processing clauses and Article 9 of the SCCs), an EU representative provides an additional benefit for organizations without a physical presence in the EU. Specifically, by using that representative’s EU contact information, foreign organizations are able to comply with the obligation that the data exporter in these contracts (SCCs and data processing clauses) be based in the EU.
If you have questions about Article 27 of the GDPR and how it may impact your organization, please contact Stephan Grynwajc for more information or assistance. Stephan can be reached at firstname.lastname@example.org or 347-543-3035.
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. email@example.com