Article 27
Representatives of controllers not established in the Union

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 27 keyboard_arrow_down Hide the recitals of the Regulation related to article 27 keyboard_arrow_up

(80) Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

There is no recital in the Directive related to article 27.

The GDPR

In the case of application of Article 3 (2),  Article 27 of the Regulation requires the controllers and the processors who are not established in the Union to designate in writing a representative, when the Regulation applies to their processing activities.

As explained above (see Comment to Article 3.2), the Regulation was made applicable to a controller or a processor who is not established in the Union, where the processing activities are related to the supply of goods or services to such data subjects in the Union, a payment is required or not from such data subjects or to the monitoring of their behaviour, to the extent that it takes place within the European Union.

Let us recall that pursuant to Article 4 (17)  of the Regulation, the representative is "a natural or legal person established in the Union (...) designated by the controller or processor in writing pursuant to Article 27 who represents the controller or processor with regard to their respective obligations under this Regulation". Let’s note again that a written agreement is required for such designation.

The provision specifies that this obligation does not apply to processing that is occasional and that does not include, on a large scale, the processing of sensitive data within the meaning of Article 9 (1) or data on convictions and criminal offenses (Art. 10) and is not likely to create risk to the rights and freedoms of natural persons, taking into account the processing nature, context, scope and  purposes. This applies even when the controller or the processor is an authority or a public body.

This representative must be established in one of the Member States in which reside the natural persons whose personal data are processed in the context of the supply of goods or services they are offered or whose behaviour is monitored.

The representative, who acts on behalf of the controller or the processor, is namely the point of contact for the supervisory authorities (see Article 58) and the data subjects on all matters relating to the processing of personal data. The representative must be expressly authorised in writing by the controller or the processor to act on their behalf to fulfil their duties under the Regulation and to be consulted in addition to or instead of the controller or the processor, including the supervisory authorities and the data subjects.

This representative is also required to maintain a register of all types of personal data processing activities carried out under their responsibility (see Article 30).

The main innovation of the second draft Regulation is to provide the possibility of imposing coercive measures against the representative in case of non-compliance with this Regulation by the controller (see recital 80 and Article 27 (4) of the Regulation). However, the designation of a representative does not affect the responsibility of the controller or the processor in respect of the authorities and the data subjects, since the designation of a representative is without prejudice to the legal actions could be brought against the controller and the processor themselves.

The Directive

Article 4.2. of the Directive provided that the controller who has no establishment in the EU but which falls under the Union law under the extraterritorial criteria for application of European regulations must designate a representative in the territory of the member State having jurisdiction under Article 4.1. c).

Potential issues

The designation of the representative in Europe appears as a beginning of a solution to ensure the effectiveness of European legislation in respect of processing, the controller of which is established outside the EU. We welcome the possibility provided by the Regulation to impose sanctions against the representative in case of processing activities that are not compliant with the Regulation.

However, the vague outlines of the first exception to the obligation to designate a representative seem to be a source of legal uncertainty, since it leaves to the controllers or processors established outside the EU, the task of assessing whether the proposed processing creates a risk or not to the rights and freedoms of natural persons residing in the Union.

Also, unfortunately, the foreign public authorities are automatically exempted from the requirement to designate a representative. If one conceives the diplomatic difficulties that such a designation would have result in, it deprives those affected by such processing from any defence. We could also imagine subjecting the Union to a duty to negotiate a treaty or an agreement with the States to which these authorities are subject to ensure the protection of the data subjects.

CJEU caselaw

C-131/12 (13 may 2014)

1.      Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).

2.      Article 4(1)(a) of Directive 95/46 is to be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.

3.      Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

4.      Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.

Opinion of Advocate general

Judgment of the Court

C-230/14 (1 october 2015)

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general

Judgment of the Court

C-191/15 (28 july 2016)

1.      Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I) and Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July 2007 on the law applicable to non-contractual obligations (Rome II) must be interpreted as meaning that, without prejudice to Article 1(3) of each of those regulations, the law applicable to an action for an injunction within the meaning of Directive 2009/22/EC of the European Parliament and of the Council of 23 April 2009 on injunctions for the protection of consumers’ interests directed against the use of allegedly unfair contractual terms by an undertaking established in a Member State which concludes contracts in the course of electronic commerce with consumers resident in other Member States, in particular in the State of the court seised, must be determined in accordance with Article 6(1) of Regulation No 864/2007, whereas the law applicable to the assessment of a particular contractual term must always be determined pursuant to Regulation No 593/2008, whether that assessment is made in an individual action or in a collective action.

2.      Article 3(1) of Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts must be interpreted as meaning that a term in the general terms and conditions of a seller or supplier which has not been individually negotiated, under which the contract concluded with a consumer in the course of electronic commerce is to be governed by the law of the Member State in which the seller or supplier is established, is unfair in so far as it leads the consumer into error by giving him the impression that only the law of that Member State applies to the contract, without informing him that under Article 6(2) of Regulation No 593/2008 he also enjoys the protection of the mandatory provisions of the law that would be applicable in the absence of that term, this being for the national court to ascertain in the light of all the relevant circumstances.

3.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the processing of personal data carried out by an undertaking engaged in electronic commerce is governed by the law of the Member State to which that undertaking directs its activities, if it is shown that the undertaking carries out the data processing in question in the context of the activities of an establishment situated in that Member State. It is for the national court to ascertain whether that is the case.

Opinion of Advocate general

Judgment of the Court

Regulation
1e 2e

Art. 27

1.   Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

2.   The obligation laid down in paragraph 1 of this Article shall not apply to:

a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

b) a public authority or body.

3.   The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4.   The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5.   The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

 

1st proposal close

Art. 25

1.           In the situation referred to in Article 3(2), the controller shall designate a representative in the Union.

2.           This obligation shall not apply to:

(a)     a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or

(b)     an enterprise employing fewer than 250 persons; or

(c)     a public authority or body; or

(d)     a controller offering only occasionally goods or services to data subjects residing in the Union.

3.           The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.

4.           The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.

2nd proposal close

Art. 25

1. Where Article 3(2) applies, the controller shall designate in writing a representative in the Union.

2. This obligation shall not apply to:

(a) (...); or

(b) processing which is occasional and unlikely to result in a (...) risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing (...); or

(c) a public authority or body;

(d) (...)

3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.

3a. The representative shall be mandated by the controller to be addressed in addition to or instead of the controller by, in particular, supervisory authorities and data subjects, on all issues related to the processing of personal data, for the purposes of ensuring compliance with this Regulation.

4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.

 

 

 

Directive close

Art. 4

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State's territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.

5. Application of Act

(1) Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if—

(a) the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or

(b) the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.

(2) A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom.

(3) For the purposes of subsections (1) and (2), each of the following is to be treated as established in the United Kingdom—

(a) an individual who is ordinarily resident in the United Kingdom,

(b) a body incorporated under the law of, or of any part of, the United Kingdom,

(c) a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and

(d) any person who does not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom—

(i) an office, branch or agency through which he carries on any activity, or

(ii) a regular practice; and the reference to establishment in any other EEA State has a corresponding meaning.

close