Article 27 GDPR Representative Service

Make sure you are compliant or risk a fine from the relevant Data Protection Authority

The UK has now left the European Union. Subsequently, the UK is now fully a “third country” as far as the EU is concerned. As a result there are some important changes that UK businesses trading in the EU and foreign businesses trading in the UK must comply with by law.

As a third country, UK entities (as are all entities of non-EU countries), are caught by Article 3 (in particular subsection (3.2)) of the EU GDPR:

This Regulation applies to the processing of personal data by a controller not established in the European Union, but in a place where Member State law applies by virtue of public international law.

As a direct result of this, Article 27 of the General Data Protection Regulation (“GDPR”) requires:

i) all UK businesses with no business presence in a EU Member State, that transacts business in the EU, or

ii) monitors the behaviour of individuals within the EU

to have in place a “GDPR Representative” who is a resident in one of the EU Member States in which they transact business.

The GDPR Representative’s role is to ensure that the organisation complies with the GDPR and/or the UK GDPR by enabling communication with individuals and data protection authorities. 360 Business Law has introduced a brand new service offering both EU, UK and overseas companies a “GDPR Representative service” through 360 Business Law (Cyprus) Limited and its various consultant lawyers across the UK and Europe.


Under the UK GDPR, any non-UK based business that does not have a business presence in the UK, but which transacts business in the UK or monitors the behaviour of UK-based individuals must have a GDPR Representative in the UK.

In this situation, organisations must appoint an EU and/or UK GDPR Representative in a relevant EU Member State and/or the UK. In certain situations, and as a consequence of Brexit, organisations may have to appoint a GDPR Representative in both the EU and the UK.

The requirement of the Article 27 Representative has been put in place to provide the relevant Data Protection Authority with the ability to enforce the GDPR against entities that are out of the jurisdictional reach of the EU.

Our representative services are provided by a team of expert lawyers, with in-depth experience of working with EU and UK regulators and advising on privacy compliance projects. The team, headed up by Duncan Gillespie, a solicitor admitted in England and Wales with nearly 25 years’ experience and a data privacy specialist, will work with our UK and EU legal teams enabling us to provide you with the legal guidance needed to respond effectively to inquiries by supervisory authorities or more complex interactions with data subjects.

EU or UK representatives have to meet the specific requirements. Our representatives are here to:

Mandatory requirements

  • Understand your approach to GDPR and/or the UK GDPR (if applicable) compliance;
    • dedicate time to understand your personal data processing activities and your approach to compliance.
    • keep in touch with you so you’re up to date with respective changes to EU rules on personal data processing.
  • Act on your behalf in the EEA (including the EU) and/or the UK (if applicable);
    • be named in your privacy notices as a point of contact in the EEA and/or the UK.
    • act on your behalf with European and/or UK data protection authorities.
    • be the contact point for data subject requests.
  • Maintain your record of processing activities (ROPA) as required the GDPR and/or the UK GDPR.

Provide you with our assessment of your state of compliance with the GDPR and/or the UK GDPR

    • In the first year, we can undertake an initial audit of your privacy compliance or review an existing audit to help you ensure you are in line with applicable data protection requirements.
    • In the following years, we can run an annual high-level audit to ensure you remain compliant over time.

The Commission can issue fines for not having an Article 27 Representative appointed in accordance with Article 83(4):

83 (4) Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

  1. the obligations of the controller and the processor pursuant to Articles 81125 to 39 and 42 and 43;
  2. the obligations of the certification body pursuant to Articles 42 and 43;
  3. the obligations of the monitoring body pursuant to Article 41(4).

On 26th January 2021 we hosted a webinar on the subject which is available to stream On-Demand at

You can also contact us for a consultation to find out whether this service is right for your business.

gdpr us rates table

For further information or to discuss a matter please telephone +1 202 263 3651 or click here to email us.

Copyright© 2020 360 Business Law America. All rights reserved.