Do I need an EU and/or UK Representative according to Article 27 of the GDPR?
Firms based outside the EEA and/or the UK without an establishment in the EEA and/or the UK but offering services to individuals in the EEA and/or the UK (e.g. provision of a website in an EU language) or monitoring behaviour (e.g. cookie profiling), need to appoint a Representative in the EEA and/or the UK according to Article 27 of the GDPR.
Why should I care about a European regulation as a non-European company?
The GDPR extends its territorial scope beyond the territory of the EEA and of the UK and
therefore can be enforced on firms outside of Europe with potential fines of EUR 20 million or 4% of turnover whichever is greater.
Are there any Exemptions to Article 27?
Controllers and processors are exempt from the requirement to have a representative if all of the following criteria are met:
• Personal data is only processed occasionally (this is expected to be interpreted narrowly).
• The processing does not include large-scale data processing of special categories of personal data or personal data relating to criminal convictions and offences.
• The processing is unlikely to result in a risk to the rights and freedoms of the data subject.