How to Demonstrate Compliance With GDPR Article 27

Representatives of Controllers or Processors Not Established in the Union

Book a demo

bottom,view,of,modern,skyscrapers,in,business,district,against,blue

GDPR Article 27 largely deals with protecting the rights of UK (or EU) citizens, in the event of their data being processed by organisations outside of their home country (or outside of their resident political union), largely through the appointment of a formal representative.

GDPR Article 27 Legal Text

EU GDPR Version

Representatives of controllers or processors not established in the Union

  1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
  2. The obligation laid down in paragraph 1 of this Article shall not apply to:
    • Processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
    • A public authority or body.

  3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
  4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
  5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

UK GDPR Version

Representatives of controllers or processors not established in the United Kingdom

  1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the United Kingdom.
  2. The obligation laid down in paragraph 1 of this Article shall not apply to:
    • Processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
    • A public authority or body.
  3. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, the Commisioner and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
  4. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

Technical Commentary

Continued compliance is measured in GDPR Article 27 through four main areas:

  1. The conditions for applicability – i.e., who is able to represent the data controller, be it a law firm, consultancy, or a private company;
  2. Exemptions;
  3. Where the representatives should be located;
  4. The representatives obligations and responsibilities.

ISO 27701 Clause 6.3.1.1 (Information Security Roles and Responsibilities) and EU GDPR Article 27

In this section we talk about GDPR Articles 27 (1), (2)(a), (2)(b), (3), (4) and (5)

Organisations should define roles and responsibilities that are specific to individual functions contained within their privacy protection policy – both their general policy and topic-specific policies.

Individuals with specific responsibilities should be skilled enough to carry out privacy-related tasks, which should include:

  • The protection of PII and any privacy-related assets;
  • Executing privacy protection procedures;
  • PII-related risk management activities, including remedial actions;
  • Anyone who uses the organisations information and data, including the use of ICT assets;
  • Individuals with top-level responsibility for privacy protection delegating tasks to others.

ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.

All of the above responsibilities and security areas should be clearly documented and made available to all relevant staff members.

Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 Clause 7.3.2).

In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.

Supporting ISO 27701 Clauses

  • ISO 27701 Clause 7.3.2

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 27 (1) to (5)ISO 27701 6.3.1.1ISO 27701 7.3.2

How ISMS.online Helps

We have easy-to-use features that let you start working on data privacy as soon as you log on, regardless of whether you are a novice or an expert looking to integrate multiple standards and regulations.

Data mapping is easy with our PIMS solution. Using our pre-configured dynamic Records of Processing Activity tool, you can easily record and review it all.

If you’re working on privacy standards or regulations, you’ll have to demonstrate that you manage Data Subject Rights Requests (DRR) well. Our secure DRR space keeps it all in one place, supporting it with automated reporting and insight.

Find out how we can help you achieve your GDPR goals by booking a 30 minute demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Streamline your workflow with our new Jira integration! Learn more here.