出海歐洲 | GDPR第27條：為什麼您的公司必須在歐盟指定一名“代表”？

隨著全球經濟一體化進程的加速，越來越多的中國企業將目光投向歐盟市場。然而，在享受歐盟市場巨大機遇的同時，這些“出海”企業也面臨著一系列合規挑戰，其中《通用數據保護條例》（GDPR）無疑是最重要的一項。GDPR不僅適用於在歐盟境內設立機構的企業，也對向歐盟境內數據主體提供商品或服務、或監控其行為的非歐盟企業具有域外效力。在這其中，GDPR第27條關於“代表”的規定，常常被非歐盟企業所忽視，但其重要性不容小覷。本文將深入探討GDPR第27條的核心內容、適用範圍、豁免情況、代表的職責以及不遵守該條款可能帶來的嚴重後果，並結合實際案例，幫助中國企業更好地理解和遵守這一關鍵法規。

GDPR第27條明確規定，如果控制者或處理者不在歐盟境內設立機構，但其數據處理活動受GDPR第3條第2款管轄，則必須以書面形式在歐盟境內指定一名“代表”[1]。這位代表將作為非歐盟企業與歐盟監管機構和數據主體之間的主要聯絡點，確保GDPR的有效執行。

GDPR第3條第2款規定了GDPR的域外適用範圍，即即使控制者或處理者不在歐盟境內，只要其數據處理活動涉及以下兩種情況，就必須遵守GDPR：

1. 向歐盟境內的數據主體提供商品或服務：無論是否收費，只要企業向歐盟境內的個人提供商品或服務，並因此處理其個人數據，就需要指定代表。例如，一家中國電商平臺向歐盟消費者銷售商品，並收集其姓名、地址、支付信息等個人數據，則該平臺需要指定代表。

2. 監控歐盟境內數據主體的行為：如果企業監控歐盟境內個人的行為，例如通過網站Cookie跟蹤用戶行為、提供基於位置的服務等，也需要指定代表。例如，一家中國社交媒體公司，其平臺被歐盟用戶使用，並收集用戶的瀏覽曆史、地理位置等信息，則該公司需要指定代表。

需要注意的是，“設立機構”的定義並非僅僅指擁有實體辦公室。根據GDPR附則22，設立機構意味著通過穩定的安排有效和真實地開展活動。因此，即使沒有實體辦公室，但通過其他穩定的方式在歐盟境內開展業務，也可能被視為“設立機構”，從而無需指定代表。然而，大多數非歐盟企業為了避免稅務和會計複雜性，通常會選擇不設立“常設機構”，這就使得指定代表成為其合規的必要步驟。

GDPR第27條也規定了一些豁免情況，即在特定條件下，非歐盟企業可以不指定代表^[1]：

1. 偶爾性、小規模且低風險的數據處理：如果數據處理活動是偶爾性的，不涉及大規模處理特殊類別數據（如種族、政治觀點、宗教信仰、健康信息等）或刑事定罪和犯罪數據，並且考慮到處理的性質、背景、範圍和目的，不太可能對數據主體的權利和自由造成風險，則可以豁免。例如，一家中國公司偶爾向歐盟客戶發送一次性營銷郵件，且不涉及敏感數據，可能符合豁免條件。

2. 公共機構或團體：公共機構或團體可以豁免指定代表。

然而，對於大多數活躍在歐盟市場的中國企業而言，其數據處理活動往往具有持續性、規模性，且可能涉及敏感數據，因此很難滿足豁免條件。例如，一家提供在線教育服務的中國公司，其用戶遍布歐盟，並收集學生的個人信息和學習數據，這通常不屬於“偶爾性、小規模且低風險”的處理。

GDPR第27條第4款規定，代表應被控制者或處理者授權，在所有與數據處理相關的問題上，作為或替代控制者或處理者，接受監管機構和數據主體的聯絡，以確保遵守本條例^[1]。具體而言，代表的主要職責包括：

• 聯絡點：作為歐盟監管機構（如數據保護局）和歐盟境內數據主體（如消費者）與非歐盟企業之間的主要聯絡點。當監管機構需要調查、發出通知或數據主體行使其權利（如訪問、刪除個人數據）時，代表將負責接收並轉達相關信息。

• 記錄保存：根據GDPR第30條，代表需要為非歐盟企業維護數據處理活動的記錄^[2]。這些記錄對於證明企業遵守GDPR至關重要。

• 配合監管：根據GDPR第31條，代表應根據要求與監管機構合作^[2]。

值得強調的是，代表的角色並非僅僅是一個“郵件接收者”。雖然其職責主要是被動性的，但其存在確保了歐盟監管機構和數據主體能夠有效地與非歐盟企業進行溝通，從而保障了數據主體的權利。如果非歐盟企業未能指定代表，監管機構將難以對其進行有效監管，數據主體也難以行使其權利，這將嚴重損害GDPR的執行力。

未能遵守GDPR第27條的規定，即未能在歐盟指定代表，可能會導致嚴重的後果。根據GDPR第83條第4款，違反第27條的規定，可能面臨最高達1000萬歐元或企業全球年度營業額2%的行政罰款，以較高者為准^[2]。

真實案例：罰款與聲譽受損

雖然GDPR第27條的直接罰款案例相對較少公開，但許多監管機構已經開始加強對非歐盟企業的審查。例如，在一些案例中，數據保護機構發現非歐盟公司未能指定代表，並因此啟動了調查程序。即使最終沒有導致巨額罰款，調查本身也會耗費企業大量的時間和資源，並可能對企業聲譽造成負面影響。

一個典型的例子是，如果一家非歐盟的在線服務提供商，在歐盟境內擁有大量用戶，但未指定代表。當歐盟用戶的數據發生泄露時，監管機構可能無法及時聯系到該服務提供商，從而延誤了數據泄露的通知和補救措施。在這種情況下，監管機構不僅會追究數據泄露的責任，還會因未能指定代表而施加額外的罰款。

對於中國“出海”歐盟的企業而言，積極應對GDPR第27條的要求至關重要。以下是一些建議：

1. 評估適用性：首先，企業應仔細評估自身業務模式，判斷是否屬於GDPR第3條第2款的適用範圍，以及是否符合第27條的豁免條件。如有疑問，應尋求專業的法律意見。

2. 及時指定代表：如果確定需要指定代表，應盡快選擇一家信譽良好、經驗豐富的機構或個人作為其歐盟代表。代表必須在歐盟成員國境內設立。

3. 明確授權與職責：與代表簽訂書面協議，明確代表的授權範圍、職責、溝通機制以及責任分擔等，確保代表能夠有效履行其職責。

4. 更新隱私政策：在企業的隱私政策中，清晰地披露歐盟代表的聯系方式，以便監管機構和數據主體能夠方便地與其聯絡。

5. 建立內部合規機制：建立完善的內部數據保護合規機制，包括數據處理記錄、數據泄露應急響應計劃等，並確保與歐盟代表的有效協作。

GDPR第27條並非一個“隱藏的義務”，而是非歐盟企業進入歐盟市場必須面對的明確要求。指定一名合格的歐盟代表，不僅是遵守GDPR的法律義務，更是企業在歐盟市場建立信任、維護聲譽的重要舉措。中國企業應充分認識到這一條款的重要性，積極采取措施，確保合規運營，從而在歐盟市場行穩致遠。

As economic globalization accelerates, an increasing number of Chinese enterprises are setting their sights on the European Union market. However, while enjoying the immense opportunities presented by the EU market, these “going global” enterprises also face a series of compliance challenges, among which the General Data Protection Regulation (GDPR) is undoubtedly one of the most significant. GDPR applies not only to enterprises established within the EU but also has extraterritorial effect on non-EU enterprises that offer goods or services to, or monitor the behavior of, data subjects within the EU. Among these provisions, Article 27 of the GDPR, concerning the designation of a “representative,” is often overlooked by non-EU enterprises, yet its importance cannot be overstated. This article will delve into the core content, scope of application, exemptions, responsibilities of the representative, and the severe consequences of non-compliance with Article 27 of the GDPR, combining real-world cases to explain relevant knowledge points in an accessible manner.

GDPR Article 27 explicitly states that where a controller or processor is not established in the Union, but its processing activities are subject to Article 3(2) of the GDPR, it shall designate in writing a “representative” in the Union ^[1]. This representative will serve as the primary contact point between the non-EU enterprise and EU supervisory authorities and data subjects, ensuring the effective implementation of the GDPR.

Article 3(2) of the GDPR defines its extraterritorial scope, meaning that even if a controller or processor is not established in the EU, it must comply with the GDPR if its data processing activities involve either of the following two situations:

1. Offering goods or services to data subjects in the EU: Regardless of whether a fee is charged, if an enterprise offers goods or services to individuals in the EU and processes their personal data as a result, it needs to appoint a representative. For example, a Chinese e-commerce platform selling goods to EU consumers and collecting their names, addresses, payment information, and other personal data would need to appoint a representative.

2. Monitoring the behavior of data subjects in the EU: If an enterprise monitors the behavior of individuals in the EU, for instance, by tracking user behavior through website cookies or providing location-based services, it also needs to appoint a representative. For example, a Chinese social media company whose platform is used by EU users and collects their browsing history, geographical location, and other information would need to appoint a representative.

It is important to note that the definition of “establishment” does not solely refer to having a bricks-and-mortar office. According to GDPR Recital 22, establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. Therefore, even without a bricks-and-mortar office, if an enterprise conducts business in the EU through other stable means, it might be considered to have an “establishment” and thus be exempt from appointing a representative. However, most non-EU enterprises typically choose not to establish a “permanent establishment” to avoid tax and accounting complexities, making the appointment of a representative a necessary step for compliance.

GDPR Article 27 also provides for certain exemptions, under which non-EU enterprises may not need to appoint a representative ^[1]:

1. Occasional, small-scale, and low-risk data processing: If the processing is occasional, does not include, on a large scale, processing of special categories of data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation, etc.) or personal data relating to criminal convictions and offenses, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing, then an exemption may apply. For example, a Chinese company occasionally sending one-off marketing emails to EU customers without involving sensitive data might qualify for an exemption.

2. Public authority or body: Public authorities or bodies are exempt from appointing a representative.

However, for most Chinese enterprises actively operating in the EU market, their data processing activities are often continuous, large-scale, and may involve sensitive data, making it difficult to meet the exemption criteria. For instance, a Chinese company providing online education services with users across the EU, collecting students’ personal information and learning data, would typically not fall under “occasional, small-scale, and low-risk” processing.

GDPR Article 27(4) stipulates that the representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation ^[1]. Specifically, the main responsibilities of the representative include:

• Contact Point: Serving as the primary contact point between EU supervisory authorities (e.g., Data Protection Authorities) and data subjects in the EU (e.g., consumers) and the non-EU enterprise. When supervisory authorities need to investigate, issue notices, or data subjects exercise their rights (e.g., access, erasure of personal data), the representative will be responsible for receiving and relaying relevant information.

• Record Keeping: In accordance with GDPR Article 30, the representative needs to maintain records of processing activities for the non-EU enterprise ^[2]. These records are crucial for demonstrating the enterprise’s compliance with the GDPR.

• Cooperation with Supervisory Authorities: Pursuant to GDPR Article 31, the representative shall cooperate with the supervisory authority upon request ^[2].

It is important to emphasize that the representative’s role is not merely that of a “mailbox.” While their duties are primarily passive, their presence ensures that EU supervisory authorities and data subjects can effectively communicate with non-EU enterprises, thereby safeguarding data subjects’ rights. If a non-EU enterprise fails to appoint a representative, supervisory authorities will find it difficult to effectively regulate them, and data subjects will struggle to exercise their rights, which would severely undermine the enforceability of the GDPR.

Failure to comply with the provisions of GDPR Article 27, i.e., failing to appoint a representative in the EU, can lead to severe consequences. According to GDPR Article 83(4), infringements of Article 27 are subject to administrative fines of up to 10 million Euros, or 2% of the enterprise’s total worldwide annual turnover of the preceding financial year, whichever is higher ^[2].

Real-World Cases: Fines and Reputational Damage

While direct enforcement cases specifically for Article 27 violations are relatively few in public record, many supervisory authorities have begun to intensify their scrutiny of non-EU enterprises. For example, in some cases, data protection authorities have initiated investigation procedures upon discovering that non-EU companies failed to appoint a representative. Even if it does not ultimately lead to hefty fines, the investigation itself can consume significant time and resources for the enterprise and may negatively impact its reputation.

A typical example would be a non-EU online service provider with a large user base in the EU but no designated representative. If a data breach affecting EU users occurs, supervisory authorities might not be able to contact the service provider in a timely manner, thus delaying notification of the data breach and remedial measures. In such a scenario, the supervisory authorities would not only pursue liability for the data breach but also impose additional fines for the failure to appoint a representative.

For Chinese enterprises “going global” into the EU, actively addressing the requirements of GDPR Article 27 is crucial. Here are some recommendations:

1. Establish Internal Compliance Mechanisms:
    Establish a comprehensive internal data protection compliance mechanism, including records of processing activities, data breach incident response plans, etc., and ensure effective collaboration with the EU representative.

2. Assess Applicability: First, enterprises should carefully evaluate their business models to determine if they fall within the scope of GDPR Article 3(2) and if they meet the exemption conditions of Article 27. If in doubt, professional legal advice should be sought.

3. Timely Appointment of Representative: If it is determined that a representative needs to be appointed, a reputable and experienced organization or individual should be selected as the EU representative as soon as possible. The representative must be established in an EU Member State.

4. Clear Authorization and Responsibilities: A written agreement should be signed with the representative, clearly defining the scope of authorization, responsibilities, communication mechanisms, and liability sharing, to ensure the representative can effectively perform their duties.

5. Update Privacy Policy: Clearly disclose the contact information of the EU representative in the enterprise’s privacy policy, to facilitate easy contact by supervisory authorities and data subjects.

GDPR Article 27 is not a “hidden obligation” but a clear requirement that non-EU enterprises must face when entering the EU market. Appointing a qualified EU representative is not only a legal obligation to comply with the GDPR but also a crucial step for enterprises to build trust and maintain their reputation in the EU market. Chinese enterprises should fully recognize the importance of this article, actively take measures to ensure compliant operations, and thus achieve steady and long-term development in the EU market.