Article 27 European Representative Service

Most people will be aware that Data Protection regulations changed within Europe on the 25th May 2018 with the implementation of the General Data Protection Regulation (GDPR).

Whilst the GDPR is a European regulation, many organisations outside of Europe will be unaware that they are, under certain conditions, required to appoint a European Representative.

The requirement to appoint a European Representative is not new. Some organisations outside of the EU were supposed to be subject to a similar requirement already prior to 25th May 2018.

However, very few companies outside of the EU have appointed representatives under Article 4 of Directive 95/46/EC, which has provided since 1995 that a “controller must designate a representative established in the territory of [a] Member State” where such controller “makes use of equipment, automated or otherwise, situated on the territory of the said Member State …”

Article 3(2) and Article 27 of the GDPR expand the requirements to processors and removes the limiting condition of local equipment.

Does the GDPR apply to my Organisation?

Does your organisation have a legal entity currently estabilished in Europe?

Does your organisation have any other form of establishment in Europe?

Does your organisation offer goods or services to citizens in Europe?

Does your organisation monitor the behaviour of citizens located in Europe?

If you answer YES to any of these questions it is likely that your organisation will be required to comply with the GDPR

If you fail to appoint a European Representative you risk being fined € 10 million or 2% of global turnover.

Helping you navigate GDPR

01.

ASSIGN

XpertDPO will appoint a fully qualified and certified Data Protection Expert as Your European Representative.

03.

INCIDENTS

XpertDPO will forward on all Subject Access Requests.

02.

NOTIFY

XpertDPO will register with the relevant Statutory Authority and act as the main point of contact.

04.

REPORTS

Annual management reports detailing queries and incidents raised plus any other relevant data protection issues.

How can XpertDPO help?

XpertDPO will act as your European Representative to ensure your compliance with the GDPR.

Personal Information vs PII…

Personally Identifiable Information (PII) is the American term and the term personal information is meant to be the EU equivalent of PII. Nonetheless, they do not correspond with each other exactly. All PII can be personal data but not all personal data is considered as PII.

Article 4 of the GDPR states that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

PII has a limited scope of data which includes: name, address, birth date, Social Security numbers and banking information. Whereas, personal information in the context of the GDPR also references data such as: photographs, social media posts, preferences and location as personal.

Why should I complete a gap analysis?

Many US organisations may not be aware that Personal Information has a much broader scope than PII and therefore, may be unaware that they need to comply with the GDPR and thus are required to appoint a Nominated European Representative.

XpertDPO will work closely with your organisation and staff to provide extensive training so that you are fully aware of your obligations and responsibilities under the GDPR.

The GDPR applies to Data Controllers AND Data Processors that process personal data of individuals in the EU (NOT JUST EU CITIZENS!!!), regardless of where the organisation is established in the world. Remember, Personal Data under the GDPR has a much wider scope than PII as used in the United States!!

Those organisations that are not established inside the EU are required to appoint a representative who is established in the EU for purposes of GDPR compliance.

A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to mitigate these risks as far and as early as possible.

Article 27 of the GDPR states that a Controller or Processor who is not established in the EU and offers goods or services to data subjects in the EU or monitors the behaviour of Data Subjects occurring within the EU must appoint, in writing, a representative within the EU.

What is establishment and how do I determine establishment?

The key to determining your organisation’s main establishment if you are a data controller, is to identify which of your organisation’s establishments has the power to take decisions on the purposes and means of your processing of personal data. This may be your place of central administration in the EU, but if your organisation takes these decisions at another establishment and that establishment has the power to have the decisions implemented, then the other establishment will be your main establishment.

If you are a data processor, your main establishment will be the location of your central administration in the EU unless your organisation does not have any central administration in the EU. If this is the case, the location where your organisation’s main processing activities take place will be your main establishment. If your organisation is a joint controller with one or more other organisations, you should identify which establishment of the joint controllers has the power to take and implement decisions on the purposes and means of processing. That establishment will be the main establishment of the joint controllership.

If your organisation is part of a group of undertakings, the main establishment for the group will be the establishment where the entity that controls the group takes decisions on the purposes and means of the group’s processing. If your organisation is engaged in a number of separate cross-border processing activities, it is possible that you will have more than one main establishment. You should not assume that all of your organisation’s cross-border processing activities will share the same main establishment.

This will be the case where decisions on the purposes and means of one processing activity are taken in the context of one establishment, while the decisions for a separate processing activity undertaken by the same organisation are taken in the context of a separate establishment.

It is important to note that a controller that DOES NOT have an establishment in the EU CANNOT avail of the One Stop Shop mechanism (OSS) and therefore must deal with local supervisory authorities in EVERY member state they are active in, through their Nominated European Representative.

The role of a European representative under Article 27 of the GDPR

The Nominated European Representative acts as a guardian or gatekeeper for your organisation. If you are based in the United States, think of the role being similar to the Delaware Agent many US organisations are required to keep.

The Nominated European Representative must be identified in the privacy notices of the non-EU based company pursuant to Article 13(1)(a) and 14(1)(a) and can be addressed in addition to or instead of the non-EU based company, in particular, with respect to communications with supervisory authorities and data subjects, on all issues related to data processing, for the purposes of ensuring compliance with the GDPR, pursuant to Article 27(4).

The Nominated European Representative represents the non-EU based company with respect to obligations under the GDPR, pursuant to Article 4(17).

In terms of active duties, the Nominated European Representative shall maintain records of processing activities for the non-EU based company (which is the one that has to prepare and provide such records, pursuant to Article 30). And, the Nominated European Representative shall co-operate with the supervisory authority pursuant to Article 31 on request.

European Representative Vs Data Protection Officer

A Nominated European Representative under Article 27 and a Data Protection Officer under Article 37 have quite different roles, tasks, functions and duties: A Data Protection Officer functions as the long arm of a data protection authority within an organisation and is intended to foster a compliance culture.

The Nominated European Representative acts more like a local representative. Organisations without an establishment in the EU are required under Article 27 to designate a representative in the EU so data protection authorities can reach and sanction them when required. The Nominated European Representative keeps records of processing activities and is available to receive inquiries and complaints.

XpertDPO as your European Representative

As your Nominated European Representative, XpertDPO will be the contact person for your Data Subjects (Customers) in all European member states.

Your Nominated European Representative will be legally appointed to represent you as the Data Controller when dealing with Data Protection Authorities in the EU.

We will assist you in establishing and maintaining Article 30 Records of Processing. If requested, we will provide these records to Data Protection Authorities.

Ready to start your
Data Protection journey with us?

Our Experience

XpertDPO is a data security, governance, risk and compliance, GDPR and ISO consultancy that offers practical, tailor-made solutions.

We are one of the leading providers of Outsourced Data Protection Officer services in Ireland and the UK. We also specialise in offering Nominated European Representative Services to non EU based organisations.

Certified Data Protection Officer
Certified Information Security Manager (ISACA)
Certified Information Systems Auditor (ISACA)
Certified in Risk and Information Systems Control (ISACA)
Certified Cloud Security Professional (ISC2)
Certificate of Cloud Security Knowledge
Cyber Essentials

"XpertDPO has worked closely with FIT on matters relating to our responsibilities as Data Processors and, more broadly, on our practical processes for managing client data with due regard for the GDPR regulation. In this respect, XpertDPO’s team has been proactive in sharing knowledge and best practices, which have developed considerably FIT’s internal competence and the necessary ongoing development of staff.”

"XpertDPO have been our European Representative following Brexit in 2020. The onboarding process was simple and the advice provided assists in meeting obligations under EU GDPR."

"By having XpertDPO act as our European Representative for Frontline Accounting, we are confident we are meeting the legal requirements of the GDPR. XpertDPO’s team are always on hand to answer any queries we may have and to help us respond to any Data Subject Access Requests from any client across the UK and the EU."

"XpertDPO are our first and only port of call when we need data protection expertise. We have worked closely with XpertDPO since 2018 and their support has been invaluable. They consistently provide us with the skills, knowledge and technical expertise to deliver excellence to our clients"

"The advice, support, and relationship we have received from XpertDPO has been invaluable. They are exactly the resource we needed to help us scale our Security & Privacy program. Their expert knowledge on GDPR has enabled us to become more knowledgeable in a critically evolving space. With XpertDPO, you receive more than just a data protection service, but the opportunity to learn, feel supported, and bridge the gaps in your compliance journey. Confidently working with global clients has been almost effortless thanks to their expertise and the service they provide us. We could not be happier with our experience thus far and look forward to continuing working closely together.”

"I can highly recommend the services of Stuart and Aimee from the XpertDPO team. Stuart’s wealth of knowledge on all things data protection is second to none and both Stuart and Aimee have always been highly professional and efficient, as well as being friendly, helpful and supportive. All work has been carried out in a timely manner and both Stuart and Aimee have always taken the time to explain our GDPR obligations to us and to help us work through all of the paperwork and processes we need in place. We are delighted to have the services of XpertDPO as the Informed Minds App Data Protection Officer and we feel very safe and secure in the knowledge that we are meeting all of our GDPR obligations with the help of their team."

“I first met Stuart and XpertDPO in 2018, and quickly realised that the level of expertise and depth of knowledge that he possessed was second to none, and I am delighted to say that XpertDPO and TalentPool has worked on many mutually profitable professional projects. The two companies developed Ireland’s first QQI certified Data protection course, which we have successfully delivered with the XpertDPO team into numerous organisations. Stuart and his team have also advised us on many issues around our Data Protection and the incisive advice and guidance he has given us is second to none.”

“XpertDPO as per their name are truly the experts in GDPR regulations. Stuart is very knowledgeable & very thorough with his understanding of the subject. From my very initial association with them to my continued engagement, XpertDPO have always come across as very approachable. The support that Stuart gives our organisation is very valuable and practicable, especially in today’s post Brexit world. More importantly, I find that Stuart is always at the end of a call to help me out and address any urgent GDPR related queries. I highly recommend XpertDPO and Stuart to anyone who is seeking a very through but practical advice and solution if they are navigating the maze of GDPR regulations!” Stuart and his team have also advised us on many issues around our Data Protection and the incisive advice and guidance he has given us is second to none.”

A Selection of Our Happy Clients

XpertDPO is a Data Protection and Compliance consultancy firm in Ireland UK, that offers practical, tailor-made solutions.

Dublin

London

Bahrain

Please fill out the fields below: