Is Article 27 the GDPR’s ‘hidden obligation’?

At least that’s what is happening in the EU. Outside of the Union, where the GDPR does apply to companies processing personal data of people in the EU, the situation is a little less clear.

The European Commission has done a poor job of notifying the rest of the world that they could face fines in Europe for the manner in which they process personal data, perhaps of the view that the privacy consultant market would be able to push this agenda for them. Certainly, the majority of consultants have been working to educate their non-EU clients, although too often the response is incredulity; why should they worry about a new law in the EU when they have no base of operations in Europe?

One of the prime areas where a lack of knowledge is placing non-EU companies at risk of GDPR fines is the representative obligation under Article 27.

For those unfamiliar with it, Article 27 requires companies that are not established in the EU, but that monitor or process the personal data of people within the EU, to appoint an EU-based representative to act as their Europe-facing point of contact for individuals and local data protection authorities. The purpose of this is simple: It ensures that EU citizens will be able to contact the controllers and processors outside of Europe that hold their personal data, without having the potentially confusing, difficult and costly efforts required to contact them at their base (imagine the situation in which a French citizen is trying to contact a data controller in a less-developed country with an unreliable postal system; the likelihood of them receiving a response within the regulatory response period of a month is very unlikely).

So why is the message on the representative not reaching the companies obliged to appoint one?

Clique aqui e leia a matéria completa.