{"id":5908,"date":"2021-05-17T16:18:28","date_gmt":"2021-05-17T20:18:28","guid":{"rendered":"https:\/\/www.millerthomson.com\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/"},"modified":"2026-03-18T13:25:49","modified_gmt":"2026-03-18T17:25:49","slug":"canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative","status":"publish","type":"post","link":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/","title":{"rendered":"Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative"},"content":{"rendered":"\n<p>As we have discussed in <a href=\"https:\/\/www.millerthomson.com\/en\/blog\/mt-cybersecurity-blog\/\" target=\"_blank\" rel=\"noopener noreferrer\">several previous articles<\/a>, Canadian businesses and other organizations can be subject to the European <a href=\"https:\/\/www.millerthomson.com\/en\/blog\/mt-cybersecurity-blog\/gdpr-turns-one-eh-current-impact-on-canadian-businesses-and-the-road-ahead\/\" target=\"_blank\" rel=\"noopener noreferrer\"><u>General Data Protection Regulation<\/u><\/a> (\u201c<strong>GDPR<\/strong>\u201d) for a number of reasons and in a number of different contexts, be it as a \u201cdata processor\u201d (i.e. the service provider to the data controller), as \u201cdata controller\u201d (the organization deemed in control of the personal data at issue) or as \u201cjoint controller\u201d with another organization, irrespective of whether the Canadian concern has a physical presence in the EU. The requirement to have an \u201cArticle 27\u201d representative has existed since the inception of the GDPR but it has been an elusive and quite enigmatic requirement. Not to be confused with the concept of a \u201c<a href=\"https:\/\/gdpr-info.eu\/art-37-gdpr\/\" target=\"_blank\" rel=\"noopener noreferrer\">Data Protection Officer<\/a>\u201d, an \u201cArticle 27 representative\u201d should serve as a contact and gatekeeper for matters pertaining to the processing of EU personal data. This requirement had not at first been enforced but this appears to be changing with a company facing a considerable fine of \u20ac525,000.00 (approximately $900,000CDN) for failing to have a representative established.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Dutch regulator fines LocateFamily.com \u20ac525,000<\/h2>\n\n\n\n<p>On May 12, 2021, the <em>Autoriteit Persoonsgegevens<\/em>, <a href=\"https:\/\/autoriteitpersoonsgegevens.nl\/en\/news\/dutch-dpa-imposes-fine-%E2%82%AC525000-locatefamilycom\" target=\"_blank\" rel=\"noopener noreferrer\">Dutch Data Protection Authority (\u201cDPA\u201d), released its decision<\/a> to impose a fine of \u20ac525,000 against Locatefamily.com, a platform that allows people to search for the contact information of family members or other people that they would like to connect with. The DPA found Locatefamily.com in breach of Article 27 of the GDPR which requires businesses without an establishment in a Member State of the European Union (the \u201cEU\u201d) but who are subject to the GDPR by virtue of Art. 3.2(a) or 3.2(b) to designate a \u201crepresentative\u201d in the EU.<\/p>\n\n\n\n<p>In addition to the fine, the DPA mandated that Locatefamily.com designate a representative in the EU by March 18, 2021. If it was unable to do so, Locatefamily.com was required to pay \u20ac20,000 for each two (2) week period that it does not have a representative, up to a maximum fine of up to \u20ac120,000.<\/p>\n\n\n\n<p>The DPA reported that their decision came following the receipt of multiple complaints regarding Locatefamily.com and an international investigation in cooperation with nine other European privacy supervisory authorities and the Office of the Privacy Commissioner of Canada.<\/p>\n\n\n\n<p>The DPA expressed concern regarding Locatefamily.com\u2019s practice of publishing full addresses and phone numbers of individuals who most often are reported to be unaware of how their details came to appear on the site. With the contact information of approximately 700,000 Dutch people on the site, <a href=\"https:\/\/autoriteitpersoonsgegevens.nl\/en\/news\/dutch-dpa-imposes-fine-%E2%82%AC525000-locatefamilycom\" target=\"_blank\" rel=\"noopener noreferrer\">DPA deputy chair Monique Verdier<\/a> mentioned that:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00a0\u201cfor a website to publish your phone number and address without your knowledge is unacceptable. You can certainly share this information if you want to, but this should be your choice to make. With Locatefamily.com, many people aren\u2019t given that choice. And if your address and phone number do end up on this site, there must be an easy way to have that information removed. That\u2019s not possible here, partly because Locatefamily.com does not have a representative in the EU.\u201d<\/p>\n<\/blockquote>\n\n\n\n<p>Pursuant to <a href=\"https:\/\/www.privacy-regulation.eu\/en\/article-27-representatives-of-controllers-or-processors-not-established-in-the-union-GDPR.htm\" target=\"_blank\" rel=\"noopener noreferrer\">Article 27<\/a>, a <a href=\"https:\/\/www.privacy-regulation.eu\/en\/article-4-definitions-GDPR.htm\" target=\"_blank\" rel=\"noopener noreferrer\">representative<\/a> is a natural or a legal person based in one of the EU member states who acts as a gatekeeper or local representative for an organization in the EU that serves as a record keeper and contact point for all issues or questions related to an organization\u2019s processing of personal data under the GDPR. Companies may claim an <a href=\"https:\/\/www.privacy-regulation.eu\/en\/article-27-representatives-of-controllers-or-processors-not-established-in-the-union-GDPR.htm\" target=\"_blank\" rel=\"noopener noreferrer\">exemption from Article 27<\/a> if their processing is \u201coccasional\u201d and \u201cdoes not include, on a large scale, processing of <a href=\"https:\/\/www.privacy-regulation.eu\/en\/article-9-processing-of-special-categories-of-personal-data-GDPR.htm\" target=\"_blank\" rel=\"noopener noreferrer\">special categories of data<\/a>\u201d (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation) and is unlikely to result in a risk to individual\u2019s privacy rights.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Recommendations<\/h2>\n\n\n\n<p>The Dutch DPA\u2019s decision brings about practical compliance implications for Canadian business particularly as the GDPR applies to many Canadian businesses who do business internationally. It is recommended for all businesses that consider themselves subject to GDPR but do not have an establishment in the EU, that an analysis is conducted of whether or not this Article 27 Representative obligation applies.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.millerthomson.com\/en\/our-services\/focus-areas\/cybersecurity\/\">Miller Thomson&#8217;s privacy and cybersecurity team<\/a> is ready to assist in these and other privacy and data security matters, and we will continue to monitor GDPR enforcement impacting Canadian businesses.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As we have discussed in several previous articles, Canadian businesses and other organizations can be subject to the European General Data Protection Regulation (\u201cGDPR\u201d) for a number of reasons and in a number of different contexts, be it as a \u201cdata processor\u201d (i.e. the service provider to the data controller), as \u201cdata controller\u201d (the organization [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":14345,"parent":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[531],"insight-format":[418],"class_list":["post-5908","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.1.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative | Miller Thomson<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative | Miller Thomson\" \/>\n<meta property=\"og:description\" content=\"As we have discussed in several previous articles, Canadian businesses and other organizations can be subject to the European General Data Protection Regulation (\u201cGDPR\u201d) for a number of reasons and in a number of different contexts, be it as a \u201cdata processor\u201d (i.e. the service provider to the data controller), as \u201cdata controller\u201d (the organization [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/\" \/>\n<meta property=\"og:site_name\" content=\"Miller Thomson\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/MillerThomsonLaw\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-17T20:18:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-18T17:25:49+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@millerthomson\" \/>\n<meta name=\"twitter:site\" content=\"@millerthomson\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/3f9143e8aec04617923b89fecf6886ea\"},\"headline\":\"Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative\",\"datePublished\":\"2021-05-17T20:18:28+00:00\",\"dateModified\":\"2026-03-18T17:25:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/\"},\"wordCount\":733,\"publisher\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/Insights_Cybersecurity_Post-Image.jpg\",\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":[\"WebPage\",\"ItemPage\"],\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/\",\"url\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/\",\"name\":\"Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative | Miller Thomson\",\"isPartOf\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/Insights_Cybersecurity_Post-Image.jpg\",\"datePublished\":\"2021-05-17T20:18:28+00:00\",\"dateModified\":\"2026-03-18T17:25:49+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#primaryimage\",\"url\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/Insights_Cybersecurity_Post-Image.jpg\",\"contentUrl\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/Insights_Cybersecurity_Post-Image.jpg\",\"width\":1776,\"height\":994,\"caption\":\"person in hoodie looking at a computer screen\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.millerthomson.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#website\",\"url\":\"https:\/\/www.millerthomson.com\/en\/\",\"name\":\"Miller Thomson\",\"description\":\"National law firm providing business law expertise and litigation and disputes services for businesses across Canada since 1957.\",\"publisher\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.millerthomson.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#organization\",\"name\":\"Miller Thomson\",\"url\":\"https:\/\/www.millerthomson.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/miller-thomson.svg\",\"contentUrl\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/miller-thomson.svg\",\"width\":380,\"height\":50,\"caption\":\"Miller Thomson\"},\"image\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/MillerThomsonLaw\/\",\"https:\/\/x.com\/millerthomson\",\"https:\/\/www.linkedin.com\/company\/miller-thomson-llp\/\",\"https:\/\/www.youtube.com\/@millerthomson\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/3f9143e8aec04617923b89fecf6886ea\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2fb85dacd7d0cf6d162ec9c30c25b90c6e69a82dbe5ebe52991d2ec0d73e4890?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2fb85dacd7d0cf6d162ec9c30c25b90c6e69a82dbe5ebe52991d2ec0d73e4890?s=96&d=mm&r=g\",\"caption\":\"admin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative | Miller Thomson","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/","og_locale":"en_US","og_type":"article","og_title":"Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative | Miller Thomson","og_description":"As we have discussed in several previous articles, Canadian businesses and other organizations can be subject to the European General Data Protection Regulation (\u201cGDPR\u201d) for a number of reasons and in a number of different contexts, be it as a \u201cdata processor\u201d (i.e. the service provider to the data controller), as \u201cdata controller\u201d (the organization [&hellip;]","og_url":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/","og_site_name":"Miller Thomson","article_publisher":"https:\/\/www.facebook.com\/MillerThomsonLaw\/","article_published_time":"2021-05-17T20:18:28+00:00","article_modified_time":"2026-03-18T17:25:49+00:00","author":"admin","twitter_card":"summary_large_image","twitter_creator":"@millerthomson","twitter_site":"@millerthomson","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#article","isPartOf":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/"},"author":{"name":"admin","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/3f9143e8aec04617923b89fecf6886ea"},"headline":"Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative","datePublished":"2021-05-17T20:18:28+00:00","dateModified":"2026-03-18T17:25:49+00:00","mainEntityOfPage":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/"},"wordCount":733,"publisher":{"@id":"https:\/\/www.millerthomson.com\/en\/#organization"},"image":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#primaryimage"},"thumbnailUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/Insights_Cybersecurity_Post-Image.jpg","articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":["WebPage","ItemPage"],"@id":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/","url":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/","name":"Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative | Miller Thomson","isPartOf":{"@id":"https:\/\/www.millerthomson.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#primaryimage"},"image":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#primaryimage"},"thumbnailUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/Insights_Cybersecurity_Post-Image.jpg","datePublished":"2021-05-17T20:18:28+00:00","dateModified":"2026-03-18T17:25:49+00:00","breadcrumb":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#primaryimage","url":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/Insights_Cybersecurity_Post-Image.jpg","contentUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/Insights_Cybersecurity_Post-Image.jpg","width":1776,"height":994,"caption":"person in hoodie looking at a computer screen"},{"@type":"BreadcrumbList","@id":"https:\/\/www.millerthomson.com\/en\/insights\/cybersecurity\/canadian-organizations-take-note-data-protection-authority-fines-foreign-based-business-under-gdpr-for-not-having-article-27-representative\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.millerthomson.com\/en\/"},{"@type":"ListItem","position":2,"name":"Canadian organizations take note: Data protection authority fines foreign-based business under GDPR for not having \u201cArticle 27\u201d representative"}]},{"@type":"WebSite","@id":"https:\/\/www.millerthomson.com\/en\/#website","url":"https:\/\/www.millerthomson.com\/en\/","name":"Miller Thomson","description":"National law firm providing business law expertise and litigation and disputes services for businesses across Canada since 1957.","publisher":{"@id":"https:\/\/www.millerthomson.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.millerthomson.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.millerthomson.com\/en\/#organization","name":"Miller Thomson","url":"https:\/\/www.millerthomson.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/miller-thomson.svg","contentUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/miller-thomson.svg","width":380,"height":50,"caption":"Miller Thomson"},"image":{"@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/MillerThomsonLaw\/","https:\/\/x.com\/millerthomson","https:\/\/www.linkedin.com\/company\/miller-thomson-llp\/","https:\/\/www.youtube.com\/@millerthomson"]},{"@type":"Person","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/3f9143e8aec04617923b89fecf6886ea","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2fb85dacd7d0cf6d162ec9c30c25b90c6e69a82dbe5ebe52991d2ec0d73e4890?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2fb85dacd7d0cf6d162ec9c30c25b90c6e69a82dbe5ebe52991d2ec0d73e4890?s=96&d=mm&r=g","caption":"admin"}}]}},"_links":{"self":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts\/5908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/comments?post=5908"}],"version-history":[{"count":1,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts\/5908\/revisions"}],"predecessor-version":[{"id":48008,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts\/5908\/revisions\/48008"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/media\/14345"}],"wp:attachment":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/media?parent=5908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/categories?post=5908"},{"taxonomy":"insight-format","embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/insight-format?post=5908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}