Artikkel 27
Representatives of controllers not established in the Union

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 27 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 27 keyboard_arrow_up

(80) Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

Det finnes ingen fortaletekst i direktivet relatert til art. 27.

GDPR

In the case of application of Article 3 (2),  Article 27 of the Regulation requires the controllers and the processors who are not established in the Union to designate in writing a representative, when the Regulation applies to their processing activities.

As explained above (see Comment to Article 3.2), the Regulation was made applicable to a controller or a processor who is not established in the Union, where the processing activities are related to the supply of goods or services to such data subjects in the Union, a payment is required or not from such data subjects or to the monitoring of their behaviour, to the extent that it takes place within the European Union.

Let us recall that pursuant to Article 4 (17)  of the Regulation, the representative is "a natural or legal person established in the Union (...) designated by the controller or processor in writing pursuant to Article 27 who represents the controller or processor with regard to their respective obligations under this Regulation". Let’s note again that a written agreement is required for such designation.

The provision specifies that this obligation does not apply to processing that is occasional and that does not include, on a large scale, the processing of sensitive data within the meaning of Article 9 (1) or data on convictions and criminal offenses (Art. 10) and is not likely to create risk to the rights and freedoms of natural persons, taking into account the processing nature, context, scope and  purposes. This applies even when the controller or the processor is an authority or a public body.

This representative must be established in one of the Member States in which reside the natural persons whose personal data are processed in the context of the supply of goods or services they are offered or whose behaviour is monitored.

The representative, who acts on behalf of the controller or the processor, is namely the point of contact for the supervisory authorities (see Article 58) and the data subjects on all matters relating to the processing of personal data. The representative must be expressly authorised in writing by the controller or the processor to act on their behalf to fulfil their duties under the Regulation and to be consulted in addition to or instead of the controller or the processor, including the supervisory authorities and the data subjects.

This representative is also required to maintain a register of all types of personal data processing activities carried out under their responsibility (see Article 30).

The main innovation of the second draft Regulation is to provide the possibility of imposing coercive measures against the representative in case of non-compliance with this Regulation by the controller (see recital 80 and Article 27 (4) of the Regulation). However, the designation of a representative does not affect the responsibility of the controller or the processor in respect of the authorities and the data subjects, since the designation of a representative is without prejudice to the legal actions could be brought against the controller and the processor themselves.

Direktivet

Article 4.2. of the Directive provided that the controller who has no establishment in the EU but which falls under the Union law under the extraterritorial criteria for application of European regulations must designate a representative in the territory of the member State having jurisdiction under Article 4.1. c).

Utfordringer

The designation of the representative in Europe appears as a beginning of a solution to ensure the effectiveness of European legislation in respect of processing, the controller of which is established outside the EU. We welcome the possibility provided by the Regulation to impose sanctions against the representative in case of processing activities that are not compliant with the Regulation.

However, the vague outlines of the first exception to the obligation to designate a representative seem to be a source of legal uncertainty, since it leaves to the controllers or processors established outside the EU, the task of assessing whether the proposed processing creates a risk or not to the rights and freedoms of natural persons residing in the Union.

Also, unfortunately, the foreign public authorities are automatically exempted from the requirement to designate a representative. If one conceives the diplomatic difficulties that such a designation would have result in, it deprives those affected by such processing from any defence. We could also imagine subjecting the Union to a duty to negotiate a treaty or an agreement with the States to which these authorities are subject to ensure the protection of the data subjects.

Forordning
1e 2e

Art. 27

1.   Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

2.   The obligation laid down in paragraph 1 of this Article shall not apply to:

a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

b) a public authority or body.

3.   The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4.   The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5.   The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

 

1. forslag close

Art. 25

1.           In the situation referred to in Article 3(2), the controller shall designate a representative in the Union.

2.           This obligation shall not apply to:

(a)     a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or

(b)     an enterprise employing fewer than 250 persons; or

(c)     a public authority or body; or

(d)     a controller offering only occasionally goods or services to data subjects residing in the Union.

3.           The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.

4.           The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.

2. forslag close

Art. 25

1. Where Article 3(2) applies, the controller shall designate in writing a representative in the Union.

2. This obligation shall not apply to:

(a) (...); or

(b) processing which is occasional and unlikely to result in a (...) risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing (...); or

(c) a public authority or body;

(d) (...)

3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.

3a. The representative shall be mandated by the controller to be addressed in addition to or instead of the controller by, in particular, supervisory authorities and data subjects, on all issues related to the processing of personal data, for the purposes of ensuring compliance with this Regulation.

4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.

 

 

 

Direktiv close

Art. 4

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State's territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.

Art. 27

Representanter for behandlingsansvarlige eller databehandlere som ikke er etablert i Unionen

1. Dersom artikkel 3 nr. 2 får anvendelse, skal den behandlingsansvarlige eller databehandleren skriftlig utpeke en representant i Unionen.

2. Forpliktelsen fastsatt i nr. 1 i denne artikkel får ikke anvendelse på

a) behandling som skjer leilighetsvis, som ikke omfatter behandling i stor skala av særlige kategorier av opplysninger som nevnt i artikkel 9 nr. 1, eller behandling av personopplysninger om straffedommer eller lovovertredelser som nevnt i artikkel 10, og som sannsynligvis ikke vil medføre en risiko for fysiske personers rettigheter og friheter, idet det tas hensyn til behandlingens art, omfang, formål og sammenhengen den utføres i, eller

b) en offentlig myndighet eller et offentlig organ.

3. Representanten skal være etablert i en av medlemsstatene der de registrerte hvis personopplysninger behandles i forbindelse med tilbud av varer eller tjenester til dem eller hvis atferd monitoreres, befinner seg.

4. Den behandlingsansvarlige eller databehandleren skal gi representanten fullmakt til å være den, i tillegg til eller istedenfor den behandlingsansvarlige eller databehandleren, som især tilsynsmyndigheter og registrerte kan henvende seg til ved spørsmål om behandlingen, med henblikk på å sikre overholdelse av denne forordning.

5. Den behandlingsansvarliges eller databehandlerens utpeking av en representant skal ikke berøre eventuelle rettslige skritt mot den behandlingsansvarlige eller databehandleren selv.

Gamle loven close

Pol. § 4 Geografisk virkeområde

Loven gjelder for behandlingsansvarlige som er etablert i Norge. Kongen kan i forskrift bestemme at loven helt eller delvis skal gjelde for Svalbard og Jan Mayen, og fastsette særlige regler om behandling av personopplysninger4 for disse områdene.

Loven gjelder også for behandlingsansvarlige som er etablert i stater utenfor EØS-området dersom den behandlingsansvarlige benytter hjelpemidler i Norge. Dette gjelder likevel ikke dersom hjelpemidlene bare brukes til å overføre personopplysninger via Norge.

Behandlingsansvarlige som nevnt i annet ledd skal ha en representant som er etablert i Norge. Bestemmelsene som gjelder for den behandlingsansvarlige gjelder også for representanten.

close