As can be gauged from the title, Article 27 speaks about the presence of controllers or processors not geographically located in the European Union. It so happens that in the modern world and a hyper connected technological age, our personal data might be in the hands of an entity that might be located on the other side of the world of whom we are completely unaware of. In case of a data breach, would such an entity be responsible considering they are not even located in the territory where the GDPR is applicable?
The answer to the above would be in the affirmative because the GDPR concerns itself with the location of the data subjects i.e. the individuals whose data is being processed and not the address of the controller or processor where it is headquartered. We have already read in previous articles that GDPR is applicable to all the controllers and processors who process data of data subjects who are based in the European Union irrespective of the controllers or processors located outside the European Union. Taking a step further, in order to further enhance the reach of GDPR and to avoid any entity slipping from its clutches, a provision for appointment of a representative has also been provided for.
Firstly, a controller or processor not located in the EU must appoint a representative in the EU, particularly in the Member State where the data subjects are located. This appointment shall be in writing and this appointment can be as simple as an informal letter.
However, the appointment of a representative shall not be necessary if the controller or processor is not processing sensitive data as mentioned in Article 9 or data related to criminal convictions or offences as indicated in Article 10. Additionally, if there is no risk to the rights and freedoms of the people, there is no need to comply with this obligation. Also, a public authority shall be excluded from the requirement of an appointment of a representative.
An appointment of a representative shall mean that all correspondence from any supervisory or regulatory authority shall be addressed to the representative in addition to or instead of the controller or processor for all purposes related to compliance with GDPR. However, this does not mean that the controller or processor shall not be liable for any legal action or legal proceeding.
It is to be noted that an appointment of a representative is for the sole purpose of ensuring compliance with the GDPR. It has been provided so that the authorities can correspond with the controller or processor in a more effective manner with the help of a representative and controllers or processors cannot evade the compliance aspect by citing geographical distance.
Reference: