For the better part of a decade, the EU representative requirement under Article 27 of the General Data Protection Regulation was treated by many non-EU companies the way drivers treat speed limit signs in the rain — noticed, acknowledged, and quietly ignored. That calculus is changing. EU supervisory authorities have spent recent enforcement cycles demonstrating that failing to appoint a designated EU representative is not a minor procedural oversight. It is, in an increasing number of cases, the first line of attack — and the easiest violation to prove.
Understanding why requires going back to the design logic of the GDPR itself and the territorial problem it was built to solve.
The Extraterritorial Problem the GDPR Was Built to Fix
When the GDPR replaced the EU Data Protection Directive in May 2018, one of the most significant architectural changes was jurisdictional. The old Directive applied primarily to data controllers established in the EU or those using equipment located within EU territory to process personal data. This left an increasingly untenable gap: companies with no European offices, no European servers, and no European employees were nonetheless collecting, profiling, and monetizing data from millions of EU residents — and doing so completely outside the legal reach of EU regulators.
The GDPR’s drafters addressed this directly through Article 3, the extraterritorial scope provision. Under Article 3(2), the GDPR applies to any organization — regardless of where it is established — that offers goods or services to data subjects in the EU, or that monitors the behavior of data subjects within the EU. The concept of “establishment” became essentially irrelevant. A SaaS company headquartered in Texas, a mobile app developer based in Singapore, an e-commerce platform operating out of São Paulo — if they are actively targeting EU consumers or tracking EU residents online, they are within the GDPR’s scope and must comply with its full requirements.
This was a genuinely significant expansion of regulatory reach. It was also, as a practical matter, immediately confronted with the oldest problem in cross-border law enforcement: how do you actually compel compliance from an entity that sits outside your jurisdiction?
Article 27: The Enforcement Hook
Article 27 of the GDPR provides the structural answer to that question. It requires controllers and processors subject to the GDPR under Article 3(2) — meaning those without an EU establishment — to designate a representative in the European Union in writing. That representative must be established in one of the EU member states where the data subjects whose personal data is being processed are located.
GDPR Article 27 Enforcement Is No Longer a Paper Tiger
The representative’s function is not merely ceremonial. Under Article 27(4), the representative serves as the point of contact for supervisory authorities and for data subjects, specifically with regard to issues related to processing. That language carries weight: the representative is the accessible face of a foreign company for regulatory purposes. They can be contacted for investigations, audits, and inquiries. When a data subject exercises rights — access, erasure, rectification — and the foreign company fails to respond, the representative is the addressable entity in the EU. When a DPA needs to open enforcement proceedings against a non-EU company, having a named representative in a member state means there is a legal entity within the DPA’s jurisdiction to formally engage.
Conversely, the absence of a representative is itself a GDPR violation — one that is straightforward to identify and does not require any complex investigation into data flows, legal bases, or processing activities. A DPA looking at a foreign company that clearly targets EU consumers can check for an Article 27 representative in a matter of minutes. If none exists, they have a ready-made enforcement hook that requires no further factual development to pursue.
Why Enforcement Took Time to Arrive — and Why It Is Here Now
Article 27 enforcement was slow to materialize in the early GDPR years, and the reasons were structural rather than political. Supervisory authorities were simultaneously managing enormous caseloads of complaints, building new investigative frameworks, and working through the One-Stop-Shop mechanism under Article 60 — which governs how DPAs cooperate when a company processes data across multiple member states. High-profile enforcement against the major tech platforms, involving complex legal questions about consent, legitimate interests, and data transfers, consumed significant bandwidth.
The Article 27 representative requirement, by contrast, was treated in most circles as a compliance checkbox: important in theory, low priority in practice, rarely the subject of standalone enforcement action. Smaller foreign companies operating in the EU often simply did not bother appointing one, gambling that regulators had larger targets in their sights.
That calculation has shifted materially. Several enforcement developments over the past two years have changed the risk profile of non-compliance with Article 27.
First, DPAs have become more systematic in how they identify non-compliant foreign operators. The growth in data breach notifications, consumer complaints, and civil litigation involving non-EU companies has given regulators a richer dataset of foreign companies processing EU personal data. Cross-referencing those companies against public representative registries — some member states, including Germany, maintain these — has made it significantly easier to flag Article 27 deficiencies without resource-intensive investigation.
Second, the enforcement appetite has grown. The Irish Data Protection Commission, long the lead supervisor for many major technology companies under the One-Stop-Shop mechanism, has issued decisions running into hundreds of millions of euros. Other DPAs, particularly in France, Italy, and the Netherlands, have developed independent enforcement cadences and are no longer content to wait for consensus processes to resolve every cross-border matter. A non-EU company with no EU establishment falls outside the One-Stop-Shop framework entirely — it is subject to enforcement by any DPA in any member state where its processing activities touch data subjects. That means the pool of authorities empowered to act against non-compliant foreign operators is not one DPA but twenty-seven.
Third, Article 27 fines are beginning to appear in enforcement databases. These are not always headline-generating penalties — a regional DPA issuing a five-figure fine against a non-EU mobile app company that failed to appoint a representative will not drive news cycles — but they are real, they are documented, and they create precedent that other companies operating in the same sectors can no longer claim ignorance of.
Who Is Required to Appoint a Representative
The obligation under Article 27 applies to controllers and processors that meet the Article 3(2) extraterritorial scope test but do not have an establishment in the EU. The concept of “establishment” under the GDPR is not limited to registered corporate entities. Under the Court of Justice of the European Union’s long-standing jurisprudence on establishment, effective and real exercise of activity through stable arrangements is sufficient — even a single employee based in a member state with some meaningful role in the processing activities could in principle satisfy the establishment criterion.
For companies that clearly lack any EU presence, the analysis is simpler. If the company:
- Offers goods or services to individuals in the EU (whether for payment or for free), or
- Monitors the behavior of individuals located in the EU (including through tracking technologies, behavioral profiling, or analytics),
then Article 27 almost certainly applies — and the company must appoint a representative.
There are limited exceptions. Article 27(2) carves out processing that is occasional, does not include large-scale processing of special category data or criminal conviction data, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing. This exception is narrow and should be interpreted conservatively. The phrase “occasional” means genuinely incidental — not a recurring commercial relationship with EU consumers dressed up as sporadic. Regulators and privacy practitioners have generally cautioned against over-relying on this exemption, and a company whose core revenue model involves EU data subjects has almost no credible basis for claiming it applies.
Public authorities and bodies are separately exempt, though this carve-out has limited practical relevance for most companies navigating commercial GDPR compliance.
What a EU Representative Must Do — and What They Cannot Do
Understanding the practical scope of the Article 27 representative role matters because companies sometimes confuse it with adjacent obligations, or assume that appointing a representative discharges more compliance weight than it actually does.
The representative’s primary functions are communicative: serving as the accessible contact point for supervisory authorities and data subjects. When a DPA initiates an inquiry, the representative is who they contact. When a data subject submits an access request or erasure request to the representative — rather than directly to the controller — the representative must forward it to the controller and facilitate a response. The representative does not independently manage processing activities, make data governance decisions, or substitute for the controller’s own compliance infrastructure. They are a relay point, not a compliance substitute.
This has important liability implications. Article 27(4) specifies that the representative shall be subject to enforcement proceedings in the event of non-compliance by the controller or processor. The representative can be held directly liable — fined, ordered to take remedial action — for the foreign controller’s GDPR failures. Reputable Article 27 representative service providers understand this and typically require contractual protections, indemnities, and access to the controller’s compliance documentation before accepting the mandate. A company that appoints a representative and then refuses to cooperate with that representative’s requests for information is creating a situation that is untenable for both parties and likely to result in the representative terminating the engagement — which returns the company to non-compliance.
The representative is also not a Data Protection Officer. The DPO obligation under Article 37 is a separate, distinct requirement with its own triggers. A company may be required to appoint both an Article 27 representative and a DPO, and the same individual or entity can serve both roles only if that arrangement is practically compatible — which in many cross-border structures it is not, given the different geographic and functional requirements attached to each role.
The Enforcement Mechanics: How DPAs Are Actually Using Article 27
Enforcement against Article 27 non-compliance tends to follow one of several patterns, each with different risk profiles for foreign companies.
The most common is complaint-triggered investigation. A data subject submits a complaint to a DPA about a non-EU company — perhaps because an access request went unanswered, or because the company’s cookie practices appeared non-compliant, or because of a data breach notification that revealed processing by a foreign operator. The DPA’s first step is often to identify the company’s Article 27 representative so that formal correspondence can be sent. If no representative exists, the DPA has an immediate compliance failure in hand that does not require complex legal analysis to pursue.
A second pattern is sector-specific sweeps. DPAs, sometimes coordinating through the European Data Protection Board, have conducted coordinated enforcement actions targeting specific sectors — health apps, children’s platforms, behavioral advertising networks. These sweeps routinely surface non-EU operators that have failed to appoint representatives, and the Article 27 failure becomes the lead count in a broader enforcement action that may also address consent, transparency, and data minimization.
A third and increasingly relevant pattern is enforcement prompted by civil litigation. Privacy class actions and individual suits before member state courts against non-EU companies sometimes require the plaintiff’s counsel or the court itself to identify a point of contact or a GDPR representative. The absence of one gets flagged to the relevant DPA, triggering regulatory attention. As tracking technology litigation has accelerated in Europe — with plaintiff firms filing actions around pixel-based tracking, session replay, and behavioral advertising — this referral pathway is becoming more active.
Fines for Article 27 failures fall under Article 83(4) of the GDPR, which sets a maximum of €10 million or 2% of total worldwide annual turnover, whichever is higher. In practice, standalone Article 27 fines have generally been issued at the lower end of that scale, reflecting the fact that the violation, while clear and enforceable, does not by itself involve harm to data subjects in the same way that a consent failure or a data breach does. But Article 27 findings are frequently packaged with other violations — transparency failures, unlawful processing, inadequate security measures — and the cumulative picture can be significantly more severe.
Compliance Obligations for Non-EU Organizations
For organizations that have not yet addressed their Article 27 obligations — or that have done so superficially — the practical path forward involves several concrete steps.
Conduct a scope assessment. The starting point is confirming whether Article 3(2) applies. This means examining whether the company actively targets EU consumers through localized content, EU-specific pricing, EU-currency payment options, or marketing directed at EU residents. It also means examining whether the company’s analytics, tracking, or profiling activities extend to individuals located in the EU. If either test is satisfied, and the company has no EU establishment, Article 27 applies.
Select the appropriate member state for the representative. The representative must be established in one of the EU member states where the data subjects whose personal data is being processed are located. For companies with EU-wide reach, this provides flexibility — the representative can be established in any member state where processing activities touch data subjects. Practical considerations include the language capabilities of the service provider, the regulatory culture and enforcement appetite of the member state’s DPA, and the cost and contractual terms of available representative services. Ireland, the Netherlands, and Germany are common choices, each with established ecosystems of Article 27 representative service providers.
Execute a formal written mandate. Article 27 requires the representative to be designated in writing. The designation document should specify the scope of the mandate, the obligations of both parties, the liability framework (including indemnification for enforcement actions taken against the representative), and the information-sharing obligations that will allow the representative to respond to DPA and data subject inquiries. A representative agreement that does not give the representative access to the controller’s privacy policies, processing records, and compliance documentation is functionally useless.
Publish the representative’s contact details. Under Article 13 and 14 of the GDPR, controllers must include the representative’s identity and contact details in their privacy notices. This is not merely a technical requirement — the representative’s contact information must be findable by data subjects and DPAs who need to reach the controller. A representative buried in the fourteenth paragraph of a privacy policy written in legalese that fails to identify the representative clearly may not satisfy the transparency obligation, even if a representative technically exists.
Update Records of Processing Activities. Article 30 requires controllers to maintain records of processing activities. For non-EU controllers subject to Article 27, the representative’s details must be included in those records. This is also where the scope of the representative’s mandate should be clearly documented.
Establish response workflows. The representative needs to know what to do when they receive a DPA inquiry or a data subject request. This means establishing clear internal communication channels between the representative and the controller’s privacy team, including documented turnaround times, escalation procedures for enforcement correspondence, and a point of contact on the controller’s side who is empowered to make decisions about how to respond.
The Broader Compliance Signal
The rise in Article 27 enforcement sends a message that extends beyond the specific requirement. It reflects a broader posture by EU regulators that the GDPR’s extraterritorial reach is not aspirational — it is operational. The mechanisms designed to bring non-EU companies within the regulatory framework are being used, and the companies that assumed their foreign incorporation insulated them from GDPR obligations are discovering, sometimes through enforcement action, that this assumption was incorrect.
For compliance professionals advising clients with cross-border data operations, Article 27 should be treated as a foundational obligation, not a secondary consideration. It is, in a meaningful sense, the jurisdictional prerequisite for everything else: the representative is how the GDPR’s enforcement architecture reaches across borders. A company that has invested significantly in consent management, data minimization, and breach response protocols but has neglected to appoint an Article 27 representative has built its compliance program on a structurally incomplete foundation.
More practically, the representative requirement is, relative to other GDPR obligations, not expensive or technically complex to satisfy. A properly scoped representative agreement with a reputable service provider can typically be implemented within weeks. The cost of the engagement — a few thousand euros annually in most cases — is substantially lower than the cost of defending an enforcement action, the reputational damage of being named in a DPA decision, or the operational disruption of a regulatory investigation conducted without a designated point of contact in the EU.
The era of Article 27 as a theoretical obligation that nobody actually enforced is, by measurable evidence, over. Companies operating in the EU from outside it should treat this as a compliance priority — not because regulators have announced they are focusing on it, but because the enforcement data increasingly shows they already are.
