GDPR Article 27 Exemption: Do You Need an EU Representative?
Most non-EU organisations that process the personal data of EU residents must appoint an EU representative under GDPR Article 27. The exemptions exist, but they’re narrow, and most businesses don’t qualify.
If you’re hoping your company falls into an exempt category, this guide will help you assess whether that’s realistic or whether you should start looking for a representative.
What Are the Article 27 GDPR Exemptions?
The General Data Protection Regulation requires non-EU businesses to designate a representative in the European Union when they offer goods or services to EU data subjects or monitor the behaviour of individuals within the EU. Article 27(2) provides limited exceptions to this obligation.
Two exemption pathways exist:
1. The cumulative conditions exemption applies when ALL of the following are true:
• The processing is occasional
• Processing does not include large-scale handling of special categories of data (Article 9)
• Processing does not include large-scale handling of personal data relating to criminal convictions and offences (Article 10)
• Processing is unlikely to result in risk to the rights and freedoms of natural persons.
2. The public authority exemption applies to governmental entities equivalent to EU public bodies.
The critical point: for the first exemption, every single condition must be satisfied simultaneously. Missing even one disqualifies your organisation entirely.
Most digital businesses fail at the first hurdle, i.e the “occasional processing” requirement. If your website collects visitor data continuously or your app tracks user behaviour, you’re already outside the exemption scope.
Detailed Breakdown of Exemption Conditions
Each exemption condition has specific criteria that supervisory authorities evaluate carefully. Understanding these in detail is necessary before claiming any exemption applies.
Occasional Processing Requirement
“Occasional” means infrequent, irregular data processing activities that don’t form part of your regular business operations.
What qualifies as occasional:
• A one-time market research survey involving EU respondents
• A single event where EU participant data is collected
• Sporadic, unpredictable interactions without any pattern
What doesn’t qualify as occasional:
• Website analytics tracking EU visitors
• Mobile app usage data collection
• Cloud services storing EU customer data continuously
• Email marketing campaigns to EU residents
• E-commerce transactions with EU customers
• Any service with ongoing data flows from EU users
The European Data Protection Board guidance clarifies that systematic online services cannot qualify as occasional. If your business model involves regular interaction with EU data subjects through a website, app, or digital service, the exemption applies to you in name only.
A US software company providing continuous SaaS services to EU customers processes data regularly by definition. The service’s ongoing nature eliminates any occasional processing argument before other factors are even considered.
Large-Scale Processing Exclusion
Even if your processing is occasional, handling large amounts of sensitive data automatically disqualifies the exemption. What counts as “large scale” depends on several factors:
• Volume of data processed
• Number of individuals affected
• Duration of processing activities
• Geographic reach
• Proportion of the relevant population
Common examples of large-scale processing include: hospital patient databases, insurance records, banking transaction histories, city-wide location tracking, and profiling thousands of people. There are no fixed thresholds, so one authority may classify an activity as large-scale while another does not; for example, processing 10,000 health records might be considered large-scale in Ireland but not in another country. In practice, authorities tend to interpret “large scale” broadly, prioritising data protection over business convenience.
Special Categories and Criminal Data Exclusion
Article 9 of the GDPR defines special categories of personal data requiring heightened protection:
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for identification
• Health data
• Sex life or sexual orientation data
Article 10 covers personal data relating to criminal convictions and offences referred to in criminal proceedings.
Common business activities involving special categories:
• Healthcare apps collecting health data
• Fitness trackers process biometric information
• HR systems recording religious accommodation requests
• Background check services handling criminal records
• Dating apps processing sexual orientation data
If your organisation processes any of these data types at scale, even occasionally, the exemption does not apply. A non-EU health technology company serving EU patients cannot claim an exemption regardless of processing frequency.
Common Scenarios That Don’t Qualify for Exemptions
Understanding why specific business models fail the exemption criteria helps clarify the narrow scope.
SaaS Platform Serving EU Customers
• Continuous data processing as a core business function
• Regular data flows from EU users
• Often involves systematic monitoring of service usage
• Result: Fails occasional processing test
Mobile App with EU Downloads
• Ongoing collection of user data
• Analytics and crash reporting create continuous processing
• Push notifications require persistent data relationships
• Result: Fails occasional processing test
E-commerce Site Accepting EU Orders
• Regular transaction processing
• Customer account data is maintained continuously
• Marketing communications create ongoing relationships
• Payment data processing adds sensitivity
• Result: Fails occasional processing test
Marketing Agency Running EU Campaigns
• Systematic targeting of EU residents
• Behavioural tracking for adoption
• Profiling activities create ongoing data processing
• Result: Fails occasional processing test and likely fails risk assessment
HR Tech Company with EU Client Employees
• Processes employee data continuously
• May handle health, diversity, or background check data
• Systematic nature of HR operations
• Result: Fails occasional processing test; may fail special categories test
Over 90% of non-EU software companies targeting EU markets fail to meet the exemption criteria, according to industry analyses. The exemption was designed for genuinely sporadic, low-risk activities, not regular commercial operations.
How to Assess if Your Organisation Qualifies for Exemptions
A systematic assessment approach helps accurately determine exemption eligibility.
Step 1: Map Your Processing Activities
Document all processing of personal data involving EU residents by noting what data you collect, how often it is collected, the purposes for which it is processed, how long it is retained, and the categories of data subjects affected.
Step 2: Evaluate Processing Frequency
Ask yourself whether processing occurs on a regular, predictable basis, whether it is integrated into your normal business operations, and whether you maintain ongoing relationships with EU data subjects. If you answer “yes” to any of these, the exemption likely does not apply.
Step 3: Assess Data Categories
Review whether you process any special categories of data under Article 9, any data relating to criminal convictions or offences under Article 10, or any data at scale, such as thousands of records or systematic processing.
Step 4: Conduct Risk Assessment
Evaluate the nature, context, scope, and purposes of your processing. Consider whether it could lead to discrimination, cause financial harm, affect vulnerable individuals such as children or patients, or involve profiling or monitoring.
Step 5: Document Your Analysis
Regardless of the conclusion, maintain records of your assessment, including the assessment date, the data processing activities reviewed, your analysis of each exemption criterion, the conclusion and reasoning, and a plan for periodic reassessment.
Step 6: Reassess Regularly
Business operations change, and what is qualified as occasional today might become regular next quarter. Schedule reviews when launching new products or services, entering new EU markets, changing data processing practices, or at least annually as part of your general policy.
What to Do if You Don’t Qualify for Exemptions
If your assessment reveals you need an EU representative, which applies to most organisations, here’s how to proceed.
Selecting a Representative
Your representative must be:
• Established in one of the EU member states where your data subjects are located
• Capable of substantive GDPR interactions (not a mere mailbox)
• Available to respond to inquiries from supervisory authorities
• Accessible as a contact point for data subjects
The representative can be an individual or an entity. Specialised compliance services exist specifically for this purpose, with costs typically ranging from €500 to €5,000 annually, depending on the service scope.
Formal Appointment Requirements
• Written mandate specifying the representative’s tasks
• Clear documentation of the appointment
• Representative’s contact details must appear in your privacy notice
• Representative’s details must be provided to supervisory authorities when requested
Timeline Considerations
Don’t wait for an enforcement action. GDPR compliance obligations apply from the moment you begin processing EU personal data. RA’s retroactive appointment doesn’t cure past non-compliance.
Documentation Requirements
Maintain records including:
• Appointment documentation
• Representative mandate scope
• Communication protocols
• Contact details for all parties
The representative requirement under Article 27 creates a local contact for supervisory authorities and EU residents without transferring legal responsibility from your organisation. You remain the data controller or processor accountable for GDPR compliance.
Regulatory Enforcement and Exemption Claims
Supervisory authorities take Article 27 obligations seriously, and incorrect exemption claims carry consequences.
How Authorities Assess Exemption Claims
When examining your exemption claim, data protection authorities will:
• Request documentation of your assessment process
• Evaluate whether processing activities genuinely qualify as occasional
• Review data categories processed
• Assess your risk evaluation methodology
• Consider the totality of your EU-facing activities
The burden of proof rests with your organisation. Claiming an exemption applies without supporting documentation is itself a compliance failure.
Penalties for Non-Compliance
Article 83 violations related to representative requirements can result in fines of up to €10 million or 2% of the representative’s annual global turnover. Broader GDPR violations can result in fines of up to €20 million or 4% of turnover.
Enforcement Examples
Since the GDPR came into effect in 2018, enforcement actions have targeted non-EU entities without proper representation. Fines ranging into the millions of euros have been levied against technology companies that failed to appoint representatives while actively processing the information of EU data subjects.
German supervisory authorities issued guidance in 2023 emphasising risk-based self-assessments by third-country controllers, signalling continued attention to this obligation.
Practical Enforcement Reality
Non-EUorganisationss often assume that distance from EU authorities provides protection. This assumption is increasingly problematic as:
• Cross-border enforcement cooperation improves
• Data protection authorities share information
• The EU can restrict services to its market
• Reputational consequences affect business relationships
Conclusion
The Article 27 exemptions exist for genuinely occasional, low-risk processing activities that don’t involve sensitive data. In practice, this covers ad-hoc researchers, one-time event organisers, and similar sporadic activities, not ongoing commercial operations.
Professional compliance advice is valuable when your situation involves complexity. Certain circumstances may create genuine exemption eligibility, but those cases are rare enough that professional validation protects your organisation from costly misinterpretation.
Frequently Asked Questions
Does the exemption apply if we only process EU data occasionally during certain business hours?
No. “Occasional” refers to sporadic, unpredictable processing, not regular processing that occurs during limited hours. If processing happens as part of normal business operations, regardless of timing, it’s not occasional.
We’re a B2B company. Does that mean we don’t have EU data subjects?
Not necessarily. If your B2B clients provide employee information, you process personal data of EU data subjects. Contact details, user accounts, and support interactions all involve the data of EU individuals.
Can we appoint a single EU representative to cover all EU member states?
Yes. One representative can serve as your contact point for all EU supervisory authorities. The representative should be established in a member state where your data subjects are located.
Note: This content was created with AI assistance.