In today’s global and online world it is likely that controllers and processors that are not established in the EU process personal data of data subjects who are in the EU. Article 27 imposes the obligation to designate, in writing, a representative in the EU where processing activities are related to:
- Offering goods or services;
- Monitoring behaviour of data subjects as far as it takes place within the EU.
This obligation does not apply to public authorities or bodies. It is also not applicable to processing which is occasional, does not include processing operations with special categories of data on a large scale (Article 9(1)) or concerns personal data relating to criminal convictions and offences (Article 10), if these types of processing are unlikely to result in a risk to the rights and freedoms of natural persons.
The representative is mandated by a controller or processor and can be addressed by supervisory authorities and data subjects on all issues related to data processing by the controller or processor for the purposes of ensuring GDPR compliance.
© University of Groningen