Wouter Seinen of Pinsent Masons writes:
Under Article 27 of the GDPR, controllers or processors that are not established in the EU but nevertheless process EU citizens’ personal data for the purposes of offering goods or services or monitoring their behaviour must “designate in writing a representative in the Union”, subject to limited exceptions.
The designated representative must be based in an EU country “where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are”. Tasks of the designated representative include liaising with data subjects and regulators. The obligation to appoint a representative does not apply to public sector bodies.
Earlier this week, the AP announced that it had fined Locatefamily.com €525,000 because the company did not comply with its Article 27 obligation to designate an EU representative in writing.
Read more on Out-Law.com.