CONTACT US twitter facebook

Legal Services

Article 27 Representation

The impact of Brexit is very much still in focus for organisations across both the EU and the UK. Following the end of the transition period, organisations outside the European Union have to designate a representative in the EU if they wish to continue processing personal data of EU residents and do not maintain an establishment in the EU (e.g., a branch office). Conversely, EU based organisations may also have to designate a representative in the UK, if they wish to continue to offer goods or services to, or monitor, individuals in the UK.

For impacted organisations, it may prove cost-effective to appoint an outsourced representative with establishments in both the EU and the UK which can act on the organisation’s behalf.

The IDPA offers just such a solution through it’s Article 27 Representation service. Clients appoint us as their official GDPR Representative; In doing so, they benefit from both our expertise as data privacy specialists and gain access to our privacy management software.

Our value proposition is your first line of defence to requests from data protection authorities and customers. Our solution requires us to maintain your records of processing activities, respond in a timely manner to subject access requests and represent your organization in all matters related to your processing activities. We also provide Legal guidance in the event you are subject to specific legal challenges or in the event a supervisory authority (SA) opening a proceeding.

What does this mean in practice for organisations?

Commencing the end of the transition period at the end of December 2020:

Consider whether your business foresees an expansion which will lead to a new market. Will you need a representative in the UK and/or the EU as a result of this?

Find the best business option to minimise the cost of appointing representative(s) (e.g. a representative located in the jurisdiction required).

While a UK representative is relatively straightforward in terms of the representative’s location, non-EU organisations will need to assess carefully when choosing where to appoint their EU representative.

Representatives should be located in a jurisdiction in which there are individuals whose data is being processed, but if the individuals are located in multiple countries the organisation will need to make a choice about where to appoint them. In many cases this will not be an obvious choice and a business and legal analysis will be needed to assess where a representative can most effectively fulfil their role.

If an organisation processes data from individuals in multiple EU countries, the representative must remain easily accessible to the individuals in all those countries, and must be able to communicate in the language used by the individuals and supervisory authorities of each of those countries. An outsourced representative with an international presence will make it easier to have a representative easily accessible to individuals and supervisory authorities in different countries, with the language skills required to communicate with them.

What Role does the EU-Representative have?

  • Represents the non-EU based company with respect to obligations under the GDPR.
  • The representative shall be identified in privacy notices of the non-EU based company.
  • Supervisory authorities and data subjects have the right to contact the representative on all issues related to data processing, for the purposes of ensuring compliance with the GDPR.
  • Records of processing activities have to be maintained by the representative for the non-EU based company (which shall prepare and provide such records to the representative).
  • Cooperation with the supervisory authority on request.

We act as a trusted point of contact for privacy related enquiries from all of your EU customers, targeted individuals, website visitors or data subjects whose personal data you process. Our proprietary solution provides you with a structured process for privacy related requests and lets you channel, structure and filter all incoming privacy requests through our solution. It is designed to simplify and manage the lifecycle of a privacy request for you and your customers, saving you time, internal resources and money and reducing your compliance risk substantially.

How does IDPA customer service operate?

All our clients are supported by a dedicated team of privacy professionals. We are able to assist your clients in English, German, French, Italian, Spanish and Portuguese. We respond to all support requests within one business day.


Does the IDPA offer support in case of a data breach?

Yes, we have developed compliant breach response solutions to mitigate and reduce fines from supervisory authorities. We guarantee you best practice in handling data breaches from our knowledge and experience in the engagement with various SA’s. We manage communications, act as an intermediary in negotiations and strive to ensure the impact of a breach is minimised.

Does the IDPA offer NIS representation in accordance with Art 18 NIS Directive (EU 2016/1148)?

We do offer representation according to Art 18 NIS Directive (EU 2016/1148) for digital service providers (DSPs) to complete our one-stop-shop offering. Enjoy a consistent response without the need for coordination between different providers in cases of a security incident. Please contact us directly to get your quote for this service.

Download a list of Frequently Asked Questions regarding Art. 27 GDPR Representatives here

download pdf