Skip main navigation

Appointing representatives

Dr Bo Zhao discusses the appointment of representatives of controllers or processors not established in the EU under the GDPR.
© University of Groningen

In today’s global and online world it is likely that controllers and processors that are not established in the EU process personal data of data subjects who are in the EU. Article 27 imposes the obligation to designate, in writing, a representative in the EU where processing activities are related to:

  • Offering goods or services;
  • Monitoring behaviour of data subjects as far as it takes place within the EU.

This obligation does not apply to public authorities or bodies. It is also not applicable to processing which is occasional, does not include processing operations with special categories of data on a large scale (Article 9(1)) or concerns personal data relating to criminal convictions and offences (Article 10), if these types of processing are unlikely to result in a risk to the rights and freedoms of natural persons.

The representative is mandated by a controller or processor and can be addressed by supervisory authorities and data subjects on all issues related to data processing by the controller or processor for the purposes of ensuring GDPR compliance.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now