Want to keep learning?

This content is taken from the University of Groningen's online course, Understanding the GDPR. Join the course to learn more.

Appointing representatives

In today’s global and online world it is likely that controllers and processors that are not established in the EU process personal data of data subjects who are in the EU. Article 27 imposes the obligation to designate, in writing, a representative in the EU where processing activities are related to:

  • Offering goods or services;
  • Monitoring behaviour of data subjects as far as it takes place within the EU.

This obligation does not apply to public authorities or bodies. It is also not applicable to processing which is occasional, does not include processing operations with special categories of data on a large scale (Article 9(1)) or concerns personal data relating to criminal convictions and offences (Article 10), if these types of processing are unlikely to result in a risk to the rights and freedoms of natural persons.

The representative is mandated by a controller or processor and can be addressed by supervisory authorities and data subjects on all issues related to data processing by the controller or processor for the purposes of ensuring GDPR compliance.

Share this article:

This article is from the free online course:

Understanding the GDPR

University of Groningen

Get a taste of this course

Find out what this course is like by previewing some of the course steps before you join: