Even as a data protection novice, the GDPR makes sense to me. I get it. I may be partly wrong in some assumptions, but I am comfortable enough in my understanding of the intent of the Recitals and Articles to ask the right people the right questions.
All, that is, with the exception of Recital 80 / Article 27 – Representatives.
I understand the words, and think I even understand the intent, but I cannot even begin to fathom how it’s actually going to work in the real world. This blog is therefore aimed at those who do. I need your guidance please.
My English translation (i.e. not legalese) of Recital 80 is:
Any controller or processor not established in EU, but who:
1. offers goods or services (regardless of payment acceptance) to data subject in the EU; or
2. monitors the behaviour of data subjects within the boundaries of the EU.
…must designate a representative to act on their behalf who may be addressed by any supervisory authority. Unless the processing:
- is occasional;
- does not include processing on a large scale of special categories of personal data;
- does not include processing of data relating to criminal convictions and offences;
- is assessed as low risk; or
- is performed by a public authority or body