Contact Us
Search Icon

Suggested region and language based on your location

    Your current region and language

    BSI announce Article 27 Representative Service to support GDPR compliance for countries outside the EU

    16 December 2020

    The cybersecurity and information resilience team at BSI has announced the introduction of an Article 27 Representative Service to support European Union (EU) and non-EU organizations with GDPR (General Data Protection Regulation) compliance obligations.

    Article 27 of the GDPR mandates that an organization must have an EU-based Representative if it does not have an EU-based establishment and provides goods or services in the EU or monitors EU-based data subjects. The Representative is responsible for acting as a contact point for data subjects, the supervisory authorities within the EU, for maintaining a copy of the Article 30 Record of Processing Activities (RoPA) of the non-EU organization and providing any information the supervisory authorities require for the performance of their tasks such as queries or supervision activities.

    The new privacy service offering at BSI will offer independent expert representation on behalf of global clients to ensure organizations meet both EU and UK data protection compliance obligations. The Article 27 Representative Service is separate from that of a Data Protection Officer (DPO), acting as a main point of contact for EU or UK data subjects and EU or UK supervisory authorities for organizations who do not have a presence in the relevant country.

    Conor Hogan, Global Practice Lead - Privacy - Cyber, Risk and Advisory at BSI said: “The Brexit transition period ends on the 31 December and will have a significant impact on data protection compliance for thousands of companies. This affects UK organizations with no establishment in the EU, who sell goods or services into the EU or monitor EU-based data subjects and will also affect EU organizations who have no presence in the UK but sell goods or services into the UK or monitor UK-based data subjects.”

    “While Article 27 is not a new addition to the GDPR and applies to organizations all over the world, it does become crucially important when managing business with the UK from the 1 January. Organizations need to be aware of the variety of changes the UK’s exit from the EU may bring to their business operations including data protection obligations. Providing the necessary guidance on data privacy compliance depending on the jurisdictions they reside in, the data they process, and the markets in which they trade is where our experts can assist efficiently and cost-effectively, allowing organizations to focus on their core business activities,” concludes Conor.