1. 於第 3 條第 2 項有適用時，控管者或處理者應以書面指定歐盟境 內之代表。
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
2. 本條第 1 項所定義務，於下列情形不適用之：
2. The obligation laid down in paragraph 1 of this Article shall not apply to:
(a) 偶然性之處理，不包括大規模處理第 9 條第 1 項所定之特殊類型 個人資料或處理依第 10 條所定關於前科或犯罪之個人資料，且考量 到處理之本質、過程、範圍與目的，不會對當事人之權利與自由造成 風險者；或
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
3. 當處理活動涉及對資料主體提供貨品或服務或監控其行為者，代 表應設立於資料主體所在之一會員國境內。
3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
4. 除該控管者或處理者外，代表應由控管者或處理者授權涉及處理 之所有問題，尤其係對於監管機關及資料主體，以確保遵守本規則之 目的。
4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
(80) 非設立於歐盟之控管者或處理者處理歐盟內資料主體之個人資 料，且其處理活動涉及提供貨品或服務時，不問是否需要資料主體付 款，對該等資料主體或對就其發生於歐盟內行為之監控，控管者或處 理者皆應指定其代表，但該處理係出於偶然、不含括大規模涉及特殊類型之個人資料處理、或涉及前科及犯罪之個人資料的處理，且考量 處理之本質、過程、範圍與目的，其不會對當事人之權利與自由造成 風險、或控管者是公務機關或機構者，不在此限。該代表應代表控管 者或處理者，且得受任何監管機關之監管。控管者或處理者應明確以 書面委託該代表履行其依照本規則所負之義務。該指定不影響控管者 或處理者基於本規則之責任或義務。該代表應依據控管者或處理者之 委託執行其任務，包括為確保符合本規則而須與主管機關合作之任何 作為。於控管者或處理者不守法時，受指定之代表應為執行程序之對 象。
(80) Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.1.1.
Here is the relevant paragraph to article 27 GDPR:
22.214.171.124 Information security roles and responsibilities
The organization should designate a point of contact for use by the customer regarding the processing of PII. When the organization is a PII controller, designate a point of contact for PII principals regarding the processing of their PII (see 7.3.2).
The organization should appoint one or more persons responsible for developing, implementing, maintaining and monitoring an organization-wide governance and privacy program, to ensure compliance with all applicable laws and regulations regarding the processing of PII.