menu MENU
arrow_back Tilbake til alle artikler
Endre land (Nåværende : Norway) language
Kontakt vårt medlem i Norway mail_outline
Besøk nettstedet til Advokatfirmaet Bull account_balance

arrow_backTidligere artikkel
Artikkel 27
Neste artikkelarrow_forward

Representatives of controllers not established in the Union

Offisielle tekster Retningslinjer Beslutninger Vurderinger
EU-regulering Vurderinger
nasj. regulering
Vis nøkkelord og artikler relatert til art. 27 i forordningen keyboard_arrow_down Skjul nøkkelord og artikler relatert til art. 27 keyboard_arrow_up

Artikler relatert til art. 27

Nøkkelord relatert til art. 27

Vis forordningens fortaletekst relatert til art. 27 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 27 keyboard_arrow_up

(80) Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

Det finnes ingen fortaletekst i direktivet relatert til art. 27.

GDPR

In the case of application of Article 3 (2),  Article 27 of the Regulation requires the controllers and the processors who are not established in the Union to designate in writing a representative, when the Regulation applies to their processing activities.

As explained above (see Comment to Article 3.2), the Regulation was made applicable to a controller or a processor who is not established in the Union, where the processing activities are related to the supply of goods or services to such data subjects in the Union, a payment is required or not from such data subjects or to the monitoring of their behaviour, to the extent that it takes place within the European Union.

Let us recall that pursuant to Article 4 (17)  of the Regulation, the representative is "a natural or legal person established in the Union (...) designated by the controller or processor in writing pursuant to Article 27 who represents the controller or processor with regard to their respective obligations under this Regulation". Let’s note again that a written agreement is required for such designation.

The provision specifies that this obligation does not apply to processing that is occasional and that does not include, on a large scale, the processing of sensitive data within the meaning of Article 9 (1) or data on convictions and criminal offenses (Art. 10) and is not likely to create risk to the rights and freedoms of natural persons, taking into account the processing nature, context, scope and  purposes. This applies even when the controller or the processor is an authority or a public body.

This representative must be established in one of the Member States in which reside the natural persons whose personal data are processed in the context of the supply of goods or services they are offered or whose behaviour is monitored.

The representative, who acts on behalf of the controller or the processor, is namely the point of contact for the supervisory authorities (see Article 58) and the data subjects on all matters relating to the processing of personal data. The representative must be expressly authorised in writing by the controller or the processor to act on their behalf to fulfil their duties under the Regulation and to be consulted in addition to or instead of the controller or the processor, including the supervisory authorities and the data subjects.

This representative is also required to maintain a register of all types of personal data processing activities carried out under their responsibility (see Article 30).

The main innovation of the second draft Regulation is to provide the possibility of imposing coercive measures against the representative in case of non-compliance with this Regulation by the controller (see recital 80 and Article 27 (4) of the Regulation). However, the designation of a representative does not affect the responsibility of the controller or the processor in respect of the authorities and the data subjects, since the designation of a representative is without prejudice to the legal actions could be brought against the controller and the processor themselves.

Direktivet

Article 4.2. of the Directive provided that the controller who has no establishment in the EU but which falls under the Union law under the extraterritorial criteria for application of European regulations must designate a representative in the territory of the member State having jurisdiction under Article 4.1. c).

Utfordringer

The designation of the representative in Europe appears as a beginning of a solution to ensure the effectiveness of European legislation in respect of processing, the controller of which is established outside the EU. We welcome the possibility provided by the Regulation to impose sanctions against the representative in case of processing activities that are not compliant with the Regulation.

However, the vague outlines of the first exception to the obligation to designate a representative seem to be a source of legal uncertainty, since it leaves to the controllers or processors established outside the EU, the task of assessing whether the proposed processing creates a risk or not to the rights and freedoms of natural persons residing in the Union.

Also, unfortunately, the foreign public authorities are automatically exempted from the requirement to designate a representative. If one conceives the diplomatic difficulties that such a designation would have result in, it deprives those affected by such processing from any defence. We could also imagine subjecting the Union to a duty to negotiate a treaty or an agreement with the States to which these authorities are subject to ensure the protection of the data subjects.

arrow_back Tidligere artikkelArtikkel 27Neste artikkel arrow_forward
arrow_back Tidligere artikkelArtikkel 27 Neste artikkel arrow_forward
arrow_back Tidligere artikkel Artikkel 27 Neste artikkel arrow_forward
Retour au sommaire
arrow_back Tidligere artikkel Artikkel 27 Neste artikkel arrow_forward
Forordning
1e 2e

Art. 27

1.   Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

2.   The obligation laid down in paragraph 1 of this Article shall not apply to:

a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

b) a public authority or body.

3.   The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4.   The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5.   The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

 
1. forslag close

Art. 25

1.           In the situation referred to in Article 3(2), the controller shall designate a representative in the Union.

2.           This obligation shall not apply to:

(a)     a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or

(b)     an enterprise employing fewer than 250 persons; or

(c)     a public authority or body; or

(d)     a controller offering only occasionally goods or services to data subjects residing in the Union.

3.           The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.

4.           The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.
2. forslag close

Art. 25

1. Where Article 3(2) applies, the controller shall designate in writing a representative in the Union.

2. This obligation shall not apply to:

(a) (...); or

(b) processing which is occasional and unlikely to result in a (...) risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing (...); or

(c) a public authority or body;

(d) (...)

3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.

3a. The representative shall be mandated by the controller to be addressed in addition to or instead of the controller by, in particular, supervisory authorities and data subjects, on all issues related to the processing of personal data, for the purposes of ensuring compliance with this Regulation.

4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.

 

 

 
Direktiv close

Art. 4

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State's territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.
Norway
compare_arrows
visibility Gamle loven

Art. 27

Representanter for behandlingsansvarlige eller databehandlere som ikke er etablert i Unionen

1. Dersom artikkel 3 nr. 2 får anvendelse, skal den behandlingsansvarlige eller databehandleren skriftlig utpeke en representant i Unionen.

2. Forpliktelsen fastsatt i nr. 1 i denne artikkel får ikke anvendelse på

a) behandling som skjer leilighetsvis, som ikke omfatter behandling i stor skala av særlige kategorier av opplysninger som nevnt i artikkel 9 nr. 1, eller behandling av personopplysninger om straffedommer eller lovovertredelser som nevnt i artikkel 10, og som sannsynligvis ikke vil medføre en risiko for fysiske personers rettigheter og friheter, idet det tas hensyn til behandlingens art, omfang, formål og sammenhengen den utføres i, eller

b) en offentlig myndighet eller et offentlig organ.

3. Representanten skal være etablert i en av medlemsstatene der de registrerte hvis personopplysninger behandles i forbindelse med tilbud av varer eller tjenester til dem eller hvis atferd monitoreres, befinner seg.

4. Den behandlingsansvarlige eller databehandleren skal gi representanten fullmakt til å være den, i tillegg til eller istedenfor den behandlingsansvarlige eller databehandleren, som især tilsynsmyndigheter og registrerte kan henvende seg til ved spørsmål om behandlingen, med henblikk på å sikre overholdelse av denne forordning.

5. Den behandlingsansvarliges eller databehandlerens utpeking av en representant skal ikke berøre eventuelle rettslige skritt mot den behandlingsansvarlige eller databehandleren selv.
Gamle loven close

Pol. § 4 Geografisk virkeområde

Loven gjelder for behandlingsansvarlige som er etablert i Norge. Kongen kan i forskrift bestemme at loven helt eller delvis skal gjelde for Svalbard og Jan Mayen, og fastsette særlige regler om behandling av personopplysninger4 for disse områdene.

Loven gjelder også for behandlingsansvarlige som er etablert i stater utenfor EØS-området dersom den behandlingsansvarlige benytter hjelpemidler i Norge. Dette gjelder likevel ikke dersom hjelpemidlene bare brukes til å overføre personopplysninger via Norge.

Behandlingsansvarlige som nevnt i annet ledd skal ha en representant som er etablert i Norge. Bestemmelsene som gjelder for den behandlingsansvarlige gjelder også for representanten.
Spain close

Artículo 30. Representantes de los responsables o encargados del tratamiento no establecidos en la Unión Europea.

1. En los supuestos en que el Reglamento (UE) 2016/679 sea aplicable a un responsable o encargado del tratamiento no establecido en la Unión Europea en virtud de lo dispuesto en su artículo 3.2 y el tratamiento se refiera a afectados que se hallen en España, la Agencia Española de Protección de Datos o, en su caso, las autoridades autonómicas de protección de datos podrán imponer al representante, solidariamente con el responsable o encargado del tratamiento, las medidas establecidas en el Reglamento (UE) 2016/679.

Dicha exigencia se entenderá sin perjuicio de la responsabilidad que pudiera en su caso corresponder al responsable o al encargado del tratamiento y del ejercicio por el representante de la acción de repetición frente a quien proceda.

2. Asimismo, en caso de exigencia de responsabilidad en los términos previstos en el artículo 82 del Reglamento (UE) 2016/679, los responsables, encargados y representantes responderán solidariamente de los daños y perjuicios causados.

---

Article 30. Representatives of controllers or processors not established in the European Union.

1. In cases where Regulation (EU) 2016/679 is applicable to a controller or processor not established in the European Union by virtue of the provisions of Article 3.2 thereof and the processing relates to data subjects located in Spain, the Spanish Data Protection Agency or, where appropriate, the regional data protection authorities may impose on the representative, jointly and severally with the controller or processor, the measures set forth in Regulation (EU) 2016/679.

This requirement shall be without prejudice to any liability that may correspond to the data controller or data processor and to the exercise by the representative of the right of recourse against whoever may be liable.

2. Likewise, in the event of a claim for liability under the terms provided for in Article 82 of Regulation (EU) 2016/679, the persons responsible, persons in charge and representatives shall be jointly and severally liable for the damages caused
arrow_back Tidligere artikkelArtikkel 27 Neste artikkel arrow_forward
close

2016 - www.itiplaw.eu.