GDPR Article 27 Exemption: Do You Need an EU Representative?

Most non-EU organisations that process the personal data of EU residents must appoint an EU representative under GDPR Article 27. The exemptions exist, but they’re narrow, and most businesses don’t qualify.

If you’re hoping your company falls into an exempt category, this guide will help you assess whether that’s realistic or whether you should start looking for a representative.

What Are the Article 27 GDPR Exemptions?

The General Data Protection Regulation requires non-EU businesses to designate a representative in the European Union when they offer goods or services to EU data subjects or monitor the behaviour of individuals within the EU. Article 27(2) provides limited exceptions to this obligation.

Two exemption pathways exist:

1. The cumulative conditions exemption applies when ALL of the following are true:

• The processing is occasional
• Processing does not include large-scale handling of special categories of data (Article 9)
• Processing does not include large-scale handling of personal data relating to criminal convictions and offences (Article 10)
• Processing is unlikely to result in risk to the rights and freedoms of natural persons.

2. The public authority exemption applies to governmental entities equivalent to EU public bodies.

The critical point: for the first exemption, every single condition must be satisfied simultaneously. Missing even one disqualifies your organisation entirely.

Most digital businesses fail at the first hurdle, i.e the “occasional processing” requirement. If your website collects visitor data continuously or your app tracks user behaviour, you’re already outside the exemption scope.

Detailed Breakdown of Exemption Conditions

Each exemption condition has specific criteria that supervisory authorities evaluate carefully. Understanding these in detail is necessary before claiming any exemption applies.

Occasional Processing Requirement

“Occasional” means infrequent, irregular data processing activities that don’t form part of your regular business operations.

What qualifies as occasional:

• A one-time market research survey involving EU respondents
• A single event where EU participant data is collected
• Sporadic, unpredictable interactions without any pattern

What doesn’t qualify as occasional:

• Website analytics tracking EU visitors
• Mobile app usage data collection
• Cloud services storing EU customer data continuously
• Email marketing campaigns to EU residents
• E-commerce transactions with EU customers
• Any service with ongoing data flows from EU users

The European Data Protection Board guidance clarifies that systematic online services cannot qualify as occasional. If your business model involves regular interaction with EU data subjects through a website, app, or digital service, the exemption applies to you in name only.

A US software company providing continuous SaaS services to EU customers processes data regularly by definition. The service’s ongoing nature eliminates any occasional processing argument before other factors are even considered.

Large-Scale Processing Exclusion

Even if your processing is occasional, handling large amounts of sensitive data automatically disqualifies the exemption. What counts as “large scale” depends on several factors:

• Volume of data processed
• Number of individuals affected
• Duration of processing activities
• Geographic reach
• Proportion of the relevant population

Common examples of large-scale processing include: hospital patient databases, insurance records, banking transaction histories, city-wide location tracking, and profiling thousands of people. There are no fixed thresholds, so one authority may classify an activity as large-scale while another does not; for example, processing 10,000 health records might be considered large-scale in Ireland but not in another country. In practice, authorities tend to interpret “large scale” broadly, prioritising data protection over business convenience.

Special Categories and Criminal Data Exclusion

Article 9 of the GDPR defines special categories of personal data requiring heightened protection:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for identification
• Health data
• Sex life or sexual orientation data

Article 10 covers personal data relating to criminal convictions and offences referred to in criminal proceedings.

Common business activities involving special categories:

• Healthcare apps collecting health data
• Fitness trackers process biometric information
• HR systems recording religious accommodation requests
• Background check services handling criminal records
• Dating apps processing sexual orientation data

If your organisation processes any of these data types at scale, even occasionally, the exemption does not apply. A non-EU health technology company serving EU patients cannot claim an exemption regardless of processing frequency.

Common Scenarios That Don’t Qualify for Exemptions

Understanding why specific business models fail the exemption criteria helps clarify the narrow scope.

SaaS Platform Serving EU Customers

• Continuous data processing as a core business function
• Regular data flows from EU users
• Often involves systematic monitoring of service usage
• Result: Fails occasional processing test

Mobile App with EU Downloads

• Ongoing collection of user data
• Analytics and crash reporting create continuous processing
• Push notifications require persistent data relationships
• Result: Fails occasional processing test

E-commerce Site Accepting EU Orders

• Regular transaction processing
• Customer account data is maintained continuously
• Marketing communications create ongoing relationships
• Payment data processing adds sensitivity
• Result: Fails occasional processing test

Marketing Agency Running EU Campaigns

• Systematic targeting of EU residents
• Behavioural tracking for adoption
• Profiling activities create ongoing data processing
• Result: Fails occasional processing test and likely fails risk assessment

HR Tech Company with EU Client Employees

• Processes employee data continuously
• May handle health, diversity, or background check data
• Systematic nature of HR operations
• Result: Fails occasional processing test; may fail special categories test

Over 90% of non-EU software companies targeting EU markets fail to meet the exemption criteria, according to industry analyses. The exemption was designed for genuinely sporadic, low-risk activities, not regular commercial operations.

How to Assess if Your Organisation Qualifies for Exemptions

A systematic assessment approach helps accurately determine exemption eligibility.

Step 1: Map Your Processing Activities

Document all processing of personal data involving EU residents by noting what data you collect, how often it is collected, the purposes for which it is processed, how long it is retained, and the categories of data subjects affected.

Step 2: Evaluate Processing Frequency

Ask yourself whether processing occurs on a regular, predictable basis, whether it is integrated into your normal business operations, and whether you maintain ongoing relationships with EU data subjects. If you answer “yes” to any of these, the exemption likely does not apply.

Step 3: Assess Data Categories

Review whether you process any special categories of data under Article 9, any data relating to criminal convictions or offences under Article 10, or any data at scale, such as thousands of records or systematic processing.

Step 4: Conduct Risk Assessment

Evaluate the nature, context, scope, and purposes of your processing. Consider whether it could lead to discrimination, cause financial harm, affect vulnerable individuals such as children or patients, or involve profiling or monitoring.

Step 5: Document Your Analysis

Regardless of the conclusion, maintain records of your assessment, including the assessment date, the data processing activities reviewed, your analysis of each exemption criterion, the conclusion and reasoning, and a plan for periodic reassessment.

Step 6: Reassess Regularly

Business operations change, and what is qualified as occasional today might become regular next quarter. Schedule reviews when launching new products or services, entering new EU markets, changing data processing practices, or at least annually as part of your general policy.

What to Do if You Don’t Qualify for Exemptions

If your assessment reveals you need an EU representative, which applies to most organisations, here’s how to proceed.

Selecting a Representative

Your representative must be:

• Established in one of the EU member states where your data subjects are located
• Capable of substantive GDPR interactions (not a mere mailbox)
• Available to respond to inquiries from supervisory authorities
• Accessible as a contact point for data subjects

The representative can be an individual or an entity. Specialised compliance services exist specifically for this purpose, with costs typically ranging from €500 to €5,000 annually, depending on the service scope.

Formal Appointment Requirements

• Written mandate specifying the representative’s tasks
• Clear documentation of the appointment
• Representative’s contact details must appear in your privacy notice
• Representative’s details must be provided to supervisory authorities when requested

Timeline Considerations

Don’t wait for an enforcement action. GDPR compliance obligations apply from the moment you begin processing EU personal data. RA’s retroactive appointment doesn’t cure past non-compliance.

Documentation Requirements

Maintain records including:

• Appointment documentation
• Representative mandate scope
• Communication protocols
• Contact details for all parties

The representative requirement under Article 27 creates a local contact for supervisory authorities and EU residents without transferring legal responsibility from your organisation. You remain the data controller or processor accountable for GDPR compliance.

Regulatory Enforcement and Exemption Claims

Supervisory authorities take Article 27 obligations seriously, and incorrect exemption claims carry consequences.

How Authorities Assess Exemption Claims

When examining your exemption claim, data protection authorities will:

• Request documentation of your assessment process
• Evaluate whether processing activities genuinely qualify as occasional
• Review data categories processed
• Assess your risk evaluation methodology
• Consider the totality of your EU-facing activities

The burden of proof rests with your organisation. Claiming an exemption applies without supporting documentation is itself a compliance failure.

Penalties for Non-Compliance

Article 83 violations related to representative requirements can result in fines of up to €10 million or 2% of the representative’s annual global turnover. Broader GDPR violations can result in fines of up to €20 million or 4% of turnover.

Enforcement Examples

Since the GDPR came into effect in 2018, enforcement actions have targeted non-EU entities without proper representation. Fines ranging into the millions of euros have been levied against technology companies that failed to appoint representatives while actively processing the information of EU data subjects.

German supervisory authorities issued guidance in 2023 emphasising risk-based self-assessments by third-country controllers, signalling continued attention to this obligation.

Practical Enforcement Reality

Non-EUorganisationss often assume that distance from EU authorities provides protection. This assumption is increasingly problematic as:

• Cross-border enforcement cooperation improves
• Data protection authorities share information
• The EU can restrict services to its market
• Reputational consequences affect business relationships

Conclusion

The Article 27 exemptions exist for genuinely occasional, low-risk processing activities that don’t involve sensitive data. In practice, this covers ad-hoc researchers, one-time event organisers, and similar sporadic activities, not ongoing commercial operations.

Professional compliance advice is valuable when your situation involves complexity. Certain circumstances may create genuine exemption eligibility, but those cases are rare enough that professional validation protects your organisation from costly misinterpretation.

Frequently Asked Questions

Does the exemption apply if we only process EU data occasionally during certain business hours?

No. “Occasional” refers to sporadic, unpredictable processing, not regular processing that occurs during limited hours. If processing happens as part of normal business operations, regardless of timing, it’s not occasional.

We’re a B2B company. Does that mean we don’t have EU data subjects?

Not necessarily. If your B2B clients provide employee information, you process personal data of EU data subjects. Contact details, user accounts, and support interactions all involve the data of EU individuals.

Can we appoint a single EU representative to cover all EU member states?

Yes. One representative can serve as your contact point for all EU supervisory authorities. The representative should be established in a member state where your data subjects are located.

Note: This content was created with AI assistance.