GDPR Article 27 Requirements: EU Representative Explained

Article 27 of the GDPR is one of the most commonly overlooked obligations for organisations operating outside the European Union. While many non-EU businesses recognise that GDPR may apply to them, fewer realise it may also require them to appoint a representative within the EU. This requirement is designed to ensure accountability, regulatory access, and effective communication with data subjects, regardless of an organisation’s location.

This guide explains what Article 27 requires, who must appoint a representative, when exemptions apply, and how to comply in practice without creating unnecessary legal or operational risk.

What is GDPR Article 27?

Article 27 of the GDPR requires controllers or processors not established in the EU to designate a representative based in an EU member state when processing the personal data of EU residents. This obligation, as laid down in the regulation, became enforceable on May 25, 2018.

The designated representative serves as a local contact point within the European Union. This person or organisation acts as an intermediary between your business and both supervisory authorities and data subjects. The representative must be addressed in writing on all issues related to processing activities.

Non-compliance carries significant financial consequences. Supervisory authorities can impose administrative fines of up to €10 million or 2% of global annual turnover under Article 83(4)(a). Beyond monetary penalties, organisations risk regulatory investigations and reputational damage that can affect market access.

Quick Assessment: Do You Need a Representative?

Answer these questions for immediate clarity:

You need an Article 27 representative if:

• Your organisation is established outside the EU
• You offer goods or services to EU residents (free or paid)
• You monitor the behaviour of natural persons in the EU
• You collect personal data relating to these activities

You can skip this requirement if:

• Your organisation already has an establishment in the EU
• Your processing is occasional, low-risk, and excludes special categories of data
• You are a public authority or body

Most non-EU e-commerce businesses, SaaS companies, and marketing firms that process the personal data of EU residents will need representation. A U.S. software company collecting names, emails, and billing addresses from German customers requires a representative, even without a European office.

Who Must Appoint an Article 27 Representative

The obligation applies broadly to non-EU organisations subject to GDPR’s territorial scope.

• Non-EU controllers offering goods or services: Any business selling products or services to EU residents must comply with the GDPR. This includes online retailers, subscription services, and professional service providers. The regulation applies whether you actively target EU markets through localised websites, EU currencies, or EU-specific advertising.

• Non-EU processors monitoring EU residents: Organisations tracking user behaviour through cookies, location data, or website analytics fall under this requirement. The monitoring dimension of GDPR’s scope is expansive.

Industry examples:

• E-commerce platforms shipping to EU countries
• SaaS providers with EU customer bases
• Marketing agencies are collecting data on EU consumers
• Mobile app developers with EU users
• Cloud service processors handling EU client data

The applicability test focuses on whether your organisation targets or engages with individuals in the European Union, not on transaction volume.

When Article 27 Does NOT Apply

The GDPR states specific exemptions from the representation requirement.

Occasional processing exemption: Processing qualifies for exemption when it meets all of these criteria:

• Occurs on an occasional basis only
• Does not include large-scale processing of special categories data (Article 9)
• Does not involve personal data relating to criminal convictions and offences referred to in Article 10
• Is unlikely to result in risk to the rights and freedoms of natural persons

Public authorities: Government bodies and public institutions are exempt from appointing a representative.

Already established in the EU: If your organisation maintains an establishment in an EU member state, Article 27 does not apply. A subsidiary operating under separate service agreements does not qualify as the parent company’s establishment for this purpose.

Qualifying for the occasional processing exemption is restrictive for commercial organisations. You must assess the nature, context, scope, and purposes of your processing to determine eligibility.

What Does an Article 27 Representative Do

The representative holds active operational obligations under GDPR, not a ceremonial role.

Primary responsibilities:

1. Contact point for supervisory authorities: Representatives must respond to inquiries from data protection regulators and cooperate with enforcement proceedings when initiated.

2. Handle data subject requests: The representative manages communications from individuals seeking to exercise their rights, such as access or deletion requests.

3. Maintain records of processing activities: The representative keeps a current copy of Article 30 records (RoPA). Your organisation prepares these records; the representative maintains them for regulatory review.

4. Explain processing practices: Representatives must be prepared to clarify their data practices to regulators clearly and promptly.

The representative can serve as the sole point of contact, allowing direct communication without involving your organisation in every interaction. Unresponsiveness or lack of qualifications can result in enforcement action against your business.

How to Comply with Article 27

Step 1: Determine your EU member state

Select a country where your data subjects are located. If you process data from multiple member states, your representative should be established in the member state where the majority of your EU customers or users reside.

Step 2: Select a qualified representative

Identify a person or organisation physically based in the EU with relevant expertise in GDPR compliance. Competence and responsiveness are non-negotiable attributes given the active nature of this role.

Step 3: Create a written mandate

The designation must be in writing. This mandate should specify:

• The representative’s authority to act on all processing-related issues
• Responsibilities for cooperating with supervisory authorities
• Communication channels with data subjects
• Record-keeping obligations

Step 4: Update your privacy policy

Include your representative’s contact details in your privacy notice. Data subjects and regulators must be able to easily reach your representative.

Step 5: Establish communication processes

Create clear procedures for:

• Forwarding data subject requests
• Sharing updates on processing activities
• Responding to regulatory inquiries
• Maintaining current RoPA documentation

Representative vs Data Protection Officer

These roles serve different purposes under GDPR.

Aspect	Article 27 Representative	Data Protection Officer
Requirement trigger	Non-EU organisations processing EU data	Core activities involving large-scale monitoring or special categories of data
Location	Must be in an EU member state	Can be anywhere
Primary Function	Local contact for authorities and data subjects	Internal compliance oversight and advice
Legal Basis	Article 27	Article 37

When you might need both: A non-EU organisation conducting large-scale processing may require an EU representative for accessibility and a DPO for internal compliance management.

Can one person serve both roles? Technically possible if the individual meets the qualifications for both positions. The requirements and purposes remain distinct.

Common Compliance Mistakes

Wrong country selection

Appointing a representative in a member state where you have no data subjects undermines the purpose of local accessibility.

Inadequate written mandate

The designation must be formal and comprehensive. Vague agreements create liability gaps and operational confusion.

Outdated privacy policies

Failing to include representative contact details or to keep information up to date violates transparency requirements.

Poor communication channels

Representatives cannot fulfil their obligations without timely information about your processing activities and data subject requests.

Assuming subsidiaries qualify

A subsidiary operating under separate service agreements does not constitute your establishment. You may still need a designated representative.

FAQ

Can my EU customer serve as my representative? 

Technically possible if they meet competency requirements and accept the mandate in writing. The practical challenges of liability, confidentiality, and professional service capacity make dedicated representative services preferable for most organisations.

What happens if I don’t appoint a representative? 

Supervisory authorities can conduct audits, issue enforcement proceedings, and impose fines up to €10 million or 2% of global turnover. Legal actions against your organisation remain fully applicable. You cannot claim inaccessibility as a defence.

How much does Article 27 compliance cost? 

Representative services range from a few hundred to several thousand euros annually, depending on scope, location, and service level. Costs vary based on processing complexity and support requirements.

Can I change representatives later?

Yes. The designation relationship can be terminated, and a new representative can be appointed. Update your privacy policy and notify relevant supervisory authorities of the change.

Note: This content was created with AI assistance.