One of the lesser known but still important obligations that non-EU-based organizations face under the EU General Data Protection Regulation (GDPR) is found in Article 27, which is aptly titled ‘Representatives of controllers or processors not established in the Union.’ To be sure, we’re not talking about the American civil war here – organizations that are regulated by the GDPR, but that are established outside of the EU, must formally appoint a representative in the European Union to represent them on data protection matters.
In this article, you’ll find a link to VeraSafe’s GDPR Article 27 Representative Agreement Template that your organization can use to help appoint its EU representative.
Do Corporate Groups Need to Appoint a Representative for Each Group Company?
In many cases, the answer is ‘yes’. Even if your multi-national group of companies has a parent or subsidiary in the EU, your non-EU group companies still need to formally appoint a representative in the EU.
Your EU office may serve as the Article 27 representative for your group’s non-EU companies, but only if the EU entity satisfies the basic criteria laid down in the law, namely that the representative is “established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.” In other words, your Article 27 representative must be located in one of the Member States of the EU where your data subjects are located, or where you sell or offer your products or services. You’ll also want to be sure that your EU representative has a sophisticated understanding of EU data protection law. With these factors in mind, a small subsidiary in the EU isn’t always an option, let alone an ideal fit for this responsibility.
How Can a Non-EU Organization Appoint VeraSafe as its Representative in the EU?
VeraSafe’s Article 27 Representative Program allows organizations located outside of the EU to appoint VeraSafe as their representative in the EU on data protection matters. VeraSafe currently offers our representative service in two very business-friendly jurisdictions: Ireland and the Czech Republic.
Even if your corporate group has an office in the EU, VeraSafe’s Article 27 Representative Program may still be a good choice for your organization. EU data protection authorities expect that your representative will be able to engage in productive and informed dialogue regarding the data protection program of your organization. VeraSafe’s in-house team of EU and U.S. attorneys, data protection consultants, and IT security experts are well equipped to interface with regulators on your behalf.
To learn more about VeraSafe’s Article 27 Representative Program, contact us today, or visit this page: https://www.verasafe.com/privacy-services/gdpr-article-27-representative-service/
VeraSafe’s GDPR Article 27 Representative Agreement Template
If your organization identifies a corporate subsidiary, parent, partner, or other affiliate that can represent the group’s non-EU companies on data protection matters, you’ll need to make this appointment officially, in writing. In many cases, the EU representative will need to be effectively shielded from the civil liability that this representative position may involve. You’ll also want to address other important contractual matters. To help VeraSafe’s professional services clients accomplish these objectives, VeraSafe has developed a GDPR Article 27 Representative Agreement Template – and now you can access this template for free. Your organization is encouraged to review its exposure to Article 27 of the GDPR and consider using VeraSafe’s GDPR Article 27 Representative Agreement Template as a starting point.
Need a GDPR Expert?
VeraSafe’s strength lies at the intersection of law and IT. Two skillsets not traditionally found under the same roof, VeraSafe’s team combines American and European data protection attorneys, privacy professionals, and IT security experts. VeraSafe is dedicated to providing industry-leading privacy and security advice that matches the budget, risk tolerance, and needs of each client we serve.
With its focus on European privacy and cybersecurity law, VeraSafe provides a complete solution for your organization’s compliance with the GDPR. VeraSafe can assist you with identifying the precise extent of the GDPR’s applicability to your organization and provide expert support to operationalize your complex obligations under the law.