§ GDPR · Article 27
GDPR Article 27: Obligations, Deadlines & Penalties
At a glance
Article 27 of the GDPR imposes 3 obligations on controller or processor, representative.
§ Obligations
All obligations under Article 27
Obligation 1
The controller or processor shall designate in writing a representative in the Union where Article 3(2) applies.
Regulation (EU) 2016/679, Article 27, Article 27
- Obligated entity
-
controller or processor
- Action required
-
designate
- Deadline
-
—
- Penalty
-
—
- Exemptions
- processing which is occasional, does not include large-scale processing of special categories of data or criminal convictions, and is unlikely to result in risk to rights and freedoms; or a public authority or body
Obligation 2
The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
Regulation (EU) 2016/679, Article 27, Article 27
- Obligated entity
-
representative
- Action required
-
establish
- Deadline
-
—
- Penalty
-
—
Obligation 3
The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by supervisory authorities and data subjects on all issues related to processing.
Regulation (EU) 2016/679, Article 27, Article 27
- Obligated entity
-
controller or processor
- Action required
-
mandate
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 27
Who must comply with Article 27 of the GDPR?
+
controller or processor, representative.
What does Article 27 of the GDPR require?
+
designate establish mandate