Typically not.

Article 27 of the GDPR requires some foreign (i.e., non-European) companies to designate a “representative" that is present in the European Union.¹  The purpose of the representative is to provide a European point of contact for “supervisory authorities and data subjects, on all issues related to processing.”²  The representative, however, is “not itself responsible for [its company] complying” with the GDPR; the main function appears to be that the representative should “facilitate the communication between data subjects and the controller or processor represented;” and, by making such communications easier (e.g., local contact numbers, addresses, etc.), “the exercise of data subjects’ rights are [more] effective.”³

Not all foreign companies, however, are required by Article 27 to appoint a representative.  Indeed, the GDPR makes clear that only a controller or a processor that is subject to the extra-territorial application of the GDPR pursuant to “Article 3(2)” of the regulation need appoint a representative.⁴ The fact that Article 3(2) jurisdiction is a prerequisite to the requirement that a representative be appointed also has been recognized by the European Data Protection Board which, in guidance issued for public consultation, stated that the Article 27 requirement applies only to “[d]ata controllers or processors subject to the GDPR as per its Article 3(2)” or “falling under the scope of Article 3(2).”⁵

Article 3(2) only applies in two situations. 

The first situation occurs when a company that is not based in the European Union “offer[s] goods or services” to a “data subject” that is based in the European Union.⁶  It is important to note that the term “data subject” refers only to “natural person[s]” and does not include legal entities such as companies or corporations.⁷ The second situation occurs when a company “monitor[s]” the “behaviour” of someone “as far as their behaviour takes place within the Union.”⁸ If neither situation applies a company is not required to appoint an Article 27 representative.⁹

Many processors that are based in the United States, or that process data only from United States-based establishments, do not fall under the scope of Article 3(2).  For example, a processor that provides contract management (e.g., formats contracts, tracks their progress through signature, and/or houses completed contracts) would not be offering a good or service to a “data subject.”  The service that they provide (i.e., contract management) would be offered to their commercial client.  While their commercial client would be a “controller” for the purposes of the GDPR, it could not be a “data subject” as it is not a natural person.  It would equally be difficult to characterize the processor as monitoring the behavior of Europeans.  While the processor would collect some information about Europeans (e.g., the name of an individual counter-signing a contract), the European Data Protection Board has made clear that the collection of information about Europeans in of itself does not “automatically count as ‘monitoring’.”¹⁰ Instead, the European Data Protection Board has stated that there needs to be some degree of “subsequent behavioral analysis or profiling techniques” in order for processing to fall under the scope of “monitoring.”¹¹

The net result is that a processor that is based in the United States, is providing services to other businesses, and is not monitoring Europeans, does not have to appoint an Article 27 representative. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. GDPR, Article 27(1).

2. GDPR, Article 27(4).

3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 23.

4. GDPR, Article 27(1).

5. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 19, 20 (emphasis added).

6. GDPR, Article 3(2)(a).

7. GDPR, Article 4(1).

8. GDPR, Article 3(2)(a), (b).

9. GDPR, Article 27(1).

10. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 18.

11. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 18.

[View source.]