1 Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. 2 The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. 3 The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. 4 The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. 5 Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. 6 The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.
This recital of the General Data Protection Regulation clarifies article 27 GDPR (Representatives of controllers or processors not established in the Union).*