USANTIS: EU Representative Under Article 27 GDPR

Table of Contents

A guest post by USANTIS

USANTIS acts as the EU representative under Article 27 GDPR for companies based outside the EU. This is the role this article is about, because it is the part of European data protection that internationally active companies overlook most often.

For companies that work across borders, data protection stopped being a one-time document long ago. It is an ongoing operation. Publishing a privacy policy is not the finish line. Cookies need to be managed properly, consent recorded, access and deletion requests handled, and new tracking technologies kept in view. For that day-to-day work there is specialised software like Captain Compliance.

But there is one part of the GDPR that no software covers on its own, because it calls for a named legal contact rather than a technical control: the EU representative under Article 27. For many companies outside the EU it is the least visible item on the list, and often the only one nobody has taken care of yet. This article explains what it is, when the obligation applies, what a missing representative means, and how it fits into a clean data protection setup.

Why the GDPR applies outside Europe too

A common misconception is that the GDPR only concerns companies based in the EU. In fact it does not hinge on where a company sits, but on whose data it processes. As soon as a company without an EU establishment deliberately offers goods or services to people in Europe, or monitors their behaviour, it can fall under the regulation.

That affects more companies than many assume:

  • a US SaaS whose software is used by teams in Europe,
  • an online shop that ships to Germany, France or other EU countries,
  • an app that tracks European users through analytics or advertising tools,
  • a service provider that looks after clients in the EU and processes their data along the way.

What matters is the market, not the address. It is not where a business sits that decides, but the market it serves. Do business in Europe and you play by European rules, even from Fort Lauderdale, Toronto or Sydney.

What an EU representative under Article 27 is

If a company falls under the GDPR without being established in the EU, Article 27 requires it in many cases to designate a representative in the Union in writing. This representative is based in a member state where the company’s data subjects are located and serves there as the official point of contact.

Its task is clearly defined. Data subjects, meaning customers, users or website visitors, can turn to the representative on matters concerning their data. Supervisory authorities also use it as a contact, for instance during an inquiry or an audit. On top of that, the representative keeps the record of processing activities available for the authorities.

What matters is what the representative is not. It does not take on the company’s liability and makes no decisions about the data processing. It simply makes the responsibility that lies with the company anyway reachable within Europe.

Where USANTIS and Captain Compliance fit together

Data protection for a company with an EU footprint is made up of several roles that often get mixed up. It helps to keep them apart.

Role Who covers it What it helps with
EU representative under Art. 27 USANTIS Named point of contact in the EU for data subjects and supervisory authorities
Data protection officer internal or external, where required Advises the company and monitors compliance with data protection rules
Data protection software Captain Compliance Consent management, cookie scanning, data subject requests, website monitoring

The three work together but do not replace one another. A company can have a named contact point in the EU and still need software that collects consent properly. It can run good software and still leave the representative obligation open. USANTIS covers the first row, Captain Compliance the third.

What USANTIS takes on

USANTIS provides the EU representative under Article 27 for companies outside the EU. The client designates USANTIS as its representative, and USANTIS then serves as the point of contact for data subjects and authorities. In practice that means:

  • a named point of contact in the EU that handles inquiries from data subjects and authorities,
  • a visible compliance page that the client links from its privacy policy, so anyone looking for the representative can find it,
  • a self-service setup, done in a few minutes, without a lengthy project or a consulting engagement,
  • operation from Germany, with liability cover and a CIPP/E-qualified team.

The idea behind it is simple. An obligation that looks complicated at first should become something that is handled, without turning into a project of its own.

When the obligation applies and when it does not

Not every company with a single European contact needs a representative straight away. Article 27 includes an exception, and it is worth a close look. You may be exempt if you meet all of the following:

  • The processing is only occasional.
  • It does not involve large-scale processing of special categories of data such as health, origin or biometric data, and no data on criminal convictions.
  • It is unlikely to result in a risk to the rights and freedoms of the data subjects.

Whether these conditions apply depends on the specific business and cannot be answered across the board. A shop with regular orders from Europe is in a different position than someone who gets one EU inquiry a year. This assessment does not replace a legal review, and USANTIS deliberately offers no legal advice here. What we do help with is asking the question properly in the first place.

What happens when the representative is missing

A missing EU representative does not show at first. The website runs, the banner is up, nobody complains. Unlike a misconfigured cookie tool, there is no visible symptom. That is exactly what makes the gap tricky.

It becomes visible only when someone looks closely:

  • A data subject wants to exercise their rights and finds no contact in the EU.
  • A supervisory authority asks for the designated representative during a review.
  • An investor or business partner goes through the data protection paperwork in a due diligence and hits the open item.

In those moments an abstract formality turns into a very concrete problem, and one that is harder to solve under time pressure than calmly beforehand.

Which companies this matters for most

The representative question does not press equally on everyone. It becomes particularly relevant for companies whose business runs on digital data and who have international users early, before they build a data protection team of their own.

That includes growing SaaS providers whose tool spreads across Europe, often faster than expected. E-commerce companies that supply European customers and process address, payment and order data along the way. Digital publishers and app providers that reach European users through advertising and analytics. And service firms like agencies or law firms working for clients with an EU footprint.

What these companies have in common is that they serve the European market long before they think of themselves as active in Europe. That is exactly the phase where the representative obligation is left open most often.

Representative, data protection officer and software are three different things

These three terms often get blurred, yet they do quite different jobs.

The data protection officer works on the inside. They advise the company and make sure it follows the data protection rules. Whether a company needs one depends on its own criteria and is independent of the representative question.

The EU representative works on the outside. It is the designated contact in the EU for data subjects and authorities. That is the role USANTIS takes on.

The data protection software carries out the work. It collects consent, scans cookies, manages requests and documents the result. That is Captain Compliance’s area.

Keep these three apart and it quickly becomes clear that they complement each other rather than overlap.

How the obligation and the execution fit together

An EU representative fulfils a legal obligation. It does not make sure the day-to-day data protection work gets done. And even the best software does not designate a representative. Only together do they add up to a complete picture.

What comes up The challenge How USANTIS and Captain Compliance help together
Reachability in the EU Data subjects and authorities need a contact in Europe USANTIS provides the designated representative under Art. 27
Cookie consent Visitors need a clean, provable choice Captain Compliance delivers consent management and logging
Up-to-date cookie details Websites change, disclosures go stale Captain Compliance scans cookies and keeps the transparency page current
Data subject requests Requests must be captured, verified and answered on time Captain Compliance centralises the handling, USANTIS is the point of contact
Evidence for authorities In an audit, what counts is what you can prove USANTIS as the contact point, Captain Compliance for logs and documentation

Split this way, the legal contact point sits with USANTIS and the ongoing execution with Captain Compliance. For a company with European users, far less is left open than when only one of the two sides is covered.

A clean setup for companies with an EU footprint

A company outside the EU with European customers does not have to reinvent data protection. It is more about putting the right pieces together and not missing a gap. In practice that comes down to four things: a clear legal basis, a designated representative in the EU where one is required, software that handles consent and requests cleanly, and documentation that proves, if it comes to it, that everything works.

USANTIS and Captain Compliance cover two of those pieces, and precisely the ones that are left undone most often. The representative, because it is invisible. The execution, because it is hard to do by hand.

The next step

If you already use Captain Compliance, you have the operational side in hand. Then it is worth the short follow-up question of whether the representative obligation under Article 27 applies to you as well. It is quickly clarified and, if it does, just as quickly handled.

USANTIS helps you assess whether the obligation is relevant and takes on the representation when you need it. Not sure whether Article 27 applies to you? The free compliance checker gives you an answer in about five minutes, at usantis.com/compliance-checker. For the operational side around consent, cookies and data subject requests, Captain Compliance is the partner to talk to. For larger or unclear situations, a short call is also possible before you commit.

  About USANTIS

USANTIS provides EU representation under Article 27 GDPR for companies based outside the EU and serves as the named point of contact in Europe for data subjects and supervisory authorities. Set up as a self-service in minutes, operated from Germany. Learn more at usantis.com.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.