Article 27 – No-one told me that…

Article 27 – No-one told me that…

By Aim's data protection experts

February 2021

 

Brexit is done and whilst there may be a few loose ends, most of the key elements of our new relationship with the EU are in place. This is good, nothing to worry about then… Well, maybe there are things we didn’t know but still need to consider. For instance, we assumed tariff-free trade meant no tariffs but that’s not entirely the case. And yes, there are some issues to do with data protection when dealing with EU residents’ data. For example, if you are a company that is not based in the EU but offer goods or services to EU residents, regardless of whether a payment is made, or you monitor behaviour of data subjects within the EU, you will need to have a representative within the Union. This is Article 27 of the GDPR. And just to be clear, if you’re selling goods or services, it’s extremely likely that this will apply to you.

 

So what is a representative? Well for companies that do not have a “branch”, or in tax terms, a “permanent establishment”, within the Union, they need to nominate someone (an individual or company) within the Union who can maintain records of processing for the non-EU based company, or cooperate with Supervisory Authorities if required. It’s worth noting that if the processing is occasional, or processing does not involve large volumes of special category data, then a representative is not needed, but organisations would do well to consider if they really meet the “occasional” or “not large volumes” criteria, since the failure to comply with the word of the regulation could make a company liable to a significant financial penalty.

 

If a company is in breach of the GDPR, then they could be subject to an enforcement action, and it would be the representative to whom the EU authorities would address summons, orders and fines, provided that it is the foreign company that is subject to the sanction. Note that the representative cannot be fined under the GDPR for infringements of the company, only for it violating the GDPR.

 

This is a difficult area and one that needs to be considered carefully by looking at the processing that takes place, and it is yet another administrative overhead to take into account, but it is one that is essential for UK businesses now we are not part of the European Union.

 

 

More:

 

  • For information about our data protection services, please click here.

 

  • Data breaches: what should you do if they happen? Our 30-minute GDPR Data Breach Training gives you an understanding of what data breaches are, what the GDPR says about them and how you should deal with breaches if they occur. Access our training here.