Demystifying GDPR Article 27: A Guide for US Businesses

Did you know that if your US business trades with the EU and processes EU citizens’ data, you’ll need to appoint a GDPR Article 27 representative?

The General Data Protection Regulation (GDPR) has had a major impact on how European Union (EU) businesses handle personal data, but that impact hasn’t been limited purely to the EU. Beyond the borders of the EU, any business anywhere which handles the data of residents of the union is also bound by GDPR. That includes US businesses.

You might ask how the EU would be able to manage and police such a measure, and the answer is via Article 27 of the regulation. Article 27 sets out the requirement for businesses processing EU citizens’ data outside the EU to appoint an EU GDPR representative resident inside the EU.

That representative will be the conduit through which requests and queries flow between the company, EU authorities and EU citizens.

In this blog post, we will unravel the complexities of GDPR Article 27 and help US businesses navigate this crucial aspect of data protection compliance.

Understanding GDPR Article 27

GDPR Article 27 was designed to safeguard the rights and freedoms of individuals within the EU regarding the processing of their personal data by entities located outside the EU. This provision applies to non-EU businesses that offer goods or services to EU individuals or monitor their behavior.

By “EU individuals” we mean people of any nationality resident within the EU.

Do you need to appoint an EU representative for GDPR Article 27?

Non-EU businesses falling under the scope of Article 27 must designate a European representative for GDPR. Your business falls under the scope of Article 27 if:

• It does not have a physical location/establishment in a member state, and
• It offers goods or services to persons in the EU, and
• It collects, processes or stores the data of EU individuals, and
• That collection, storing or processing amounts to more than “occasional”

How to appoint an EU GDPR consultant

In appointing and setting out the role of the GDPR EU representative, US companies should:

• Assess applicability: Use the above guide to establish whether GDPR Article 27 applies to your operations.

• Appoint the rep: The EU GDPR consultant you appoint must be located in one of the members states in which you are actively collecting, using or storing member data.

You do not, however, need to appoint a rep for each state in which you are active – one will do.  

• Publicly identify the GDPR rep: The rep you appoint must be an individual (that is, not an organization) who is clearly identified in your privacy policy and other information you provide to data subjects (the people whose data you collect or store).

You’ll also need to provide the rep’s contact details, including their name, address, and means of communication, to the relevant EU supervisory authorities.

• Authorize them to act: The US business must authorize the EU representative to act on its behalf in ensuring GDPR compliance. The authorization should be in writing.

• Set out responsibilities: Give your GDPR rep a clear mandate which outlines your rep’s responsibilities and tasks related to GDPR compliance.

• Understand limit of responsibility: When you appoint an EU representative for GDPR Article 27, it’s important to remember that while supervisory authorities can take action against the GDPR rep for any failures, they can also take action against the company.

Effectively, that means the GDPR EU representative is in the trenches with you, but they’re not your shield against any issues of non-compliance.

What will your representative for GDPR do?

• Maintain accurate records: Your EU representative should diligently maintain records of your processing activities on behalf of EU individuals.

• Cooperate with supervisory authorities: When EU member state authorities wish to contact your organization, they will do so via your GDPR rep, who will also translate anything that needs your attention.

• Liaise with data subjects: When a data subject in the EU asks for an alteration or deletion of their data, your European representative for GDPR will be their first point of contact.

• Protect compliance: US businesses should conduct periodic reviews of their compliance with GDPR Article 27. The GDPR consultant should support that process and help the business remain compliant. Any business should also periodically review its GDPR EU representative to ensure they remain effective.

Next steps in GDPR for US businesses

If you handle the data of EU citizens but haven’t yet appointed an Article 27 rep, it’s time you did. Penalties for non-compliance can be as high as 2% of global turnover or €10,000,000, whichever is higher.

Yet beyond reducing the risk of financial penalties, an EU representative for GDPR Article 27 can help you build consumer trust, reduce the risk of data breach and make data compliance simpler.

Appoint your GDPR EU Representative

Find the right EU GDPR consultant for you now, get data protection advice or, for questions about your next steps, call +1 303 317 5998.