Frequently Asked Questions on Article 27 GDPR

Prighter Europe Lock

Does my company need an Art 27 GDPR representative in the EU?

Which companies need an EU representative?

Companies established outside the EU are required to appoint an EU representative according to Art. 27 of GDPR if they:

  • offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or

  • monitor their behaviour (e.g. cookie profiling).

According to the Guideline 3/2018 of the European Data Protection Board (EDPB) on the territorial scope of GDPR, this applies to controllers and processors as well. For processors not established in the European Union the applicability of GDPR depends on what the “processing activities” are related to. If the data processing conducted for the controller is related to the offering of goods and services or to the monitoring of behaviour, GDPR applies to the processor in addition to the controller. 

Case 1: Online Gaming: You are an online gaming company located outside the EU and offer your games to data subjects in the EU free of charge. When using your games you analyse the data subjects' geolocation data, web-browser data and history, and show ads based on this data. As you target the EU market by offering your games and monitoring the users' behaviour you are legally required to appoint a GDPR Representative physically established in an EU member state to remain compliant. Violations of the EU GDPR can lead to substantial fines by authorities and exclusion from business activities in the EU.
Case 2: B2B SaaS: You develop CRM software and offer it as a SaaS product to companies, which are either targeting the EU without an establishment or which are located in the EU. Because your business clients are targeting EU data subjects and your CRM software product is processing and storing their data, you are also required to appoint a GDPR Representative physically established in an EU member state. Most likely your business clients in the EU will also require you to appoint a representative and enter into a data processing agreement. You can establish trust by already being GDPR compliant during the negotiation phase with your business clients.

Are there any exemptions from the obligation to appoint an EU representative?

Does my company offer goods and services to individuals in the EU?

Does my company monitor the behaviour of EU data subjects?

What fine may be imposed for non-compliance?

What to look for in an Art 27 representative?

What are the responsibilities of the representative?

Where should a representative be located?

What is PrighterGDPR-Rep's approach to representation?

What are the services provided by PrighterGDPR-Rep?

How does PrighterGDPR-Rep secure and protect sensitive data?

How can my company appoint PrighterGDPR-Rep as my representative?

What is the process of appointing PrighterGDPR-Rep as my EU representative?

We are a group of companies. Do you offer special options for groups?

What are the payment options?

How can my company manage the representation?

What happens to incoming requests?

Does PrighterGDPR-Rep offer help with answering requests?

Is PrighterGDPR-Rep one of my company's processors? Where can I find the data processing agreement?

How can more than one business be managed?