US tech companies expanding into Europe face two distinct GDPR obligations that are easy to confuse: the EU Representative under Article 27 and the Data Protection Officer under Article 37. They are separate roles with separate triggers. In 2026, a growing share of US SaaS, HealthTech, and FinTech companies often need one or both before they can close European enterprise deals or pass investor due diligence.
This guide explains what each role does, when a US company is actually required to appoint one, whether the DPO has to be based in the EU, how regulated sectors raise the bar, and how to set everything up without over-buying or leaving a gap.
The two roles US companies confuse
The EU Representative and the DPO are different roles with different purposes.
The EU Representative under Article 27 is a local point of contact in the EU for companies that have no establishment there. It exists so EU individuals and supervisory authorities have someone inside the EU to reach. It is an administrative role that carries legal liability. It does not give compliance advice.
The Data Protection Officer under Article 37 is an independent oversight role. The DPO monitors compliance, advises on obligations, and acts as the contact point with supervisory authorities on data protection matters. The DPO must be independent and free of conflicts.
Here is how they compare:
| EU Representative (Art. 27) | Data Protection Officer (Art. 37) | |
| Purpose | Local EU contact point for non-EU companies | Independent oversight of data protection |
| Triggered by | Offering goods or services to, or monitoring, EU individuals with no EU establishment | Large-scale monitoring or large-scale special category processing as a core activity |
| Nature | Administrative, liability-bearing | Advisory, independent |
| Must be in the EU? | Yes, located in an EU member state | No, but EU experience helps in practice |
| UK equivalent | Separate UK Representative needed | Same DPO can cover UK and EU |
A US company might need an EU Representative and/or a DPO depending on its processing and its EU footprint.
When a US company needs an EU Representative
If a US company has no establishment in the EU but offers goods or services to people in the EU, or monitors their behaviour, it generally must appoint an EU Representative under Article 27. There are narrow exemptions for occasional, low-risk processing, but most US SaaS, e-commerce, and consumer apps with EU users fall inside the requirement.
The same logic applies to the UK separately. A US company serving UK individuals without a UK establishment generally needs a UK Representative as well. EU and UK representation are separate appointments.
When a US company needs a DPO
A DPO is mandatory under Article 37 when a company’s core activities involve large-scale monitoring of individuals or large-scale processing of special category data such as health information. For US tech companies, the common triggers are behavioral analytics and user tracking at scale (much SaaS analytics and adtech) and health data processing at scale (HealthTech). If you are unsure whether you cross the threshold, a short scoping exercise resolves it quickly.
Even when not mandatory, many US companies appoint a DPO voluntarily once European enterprise customers and investors start asking about it in due diligence. A voluntary DPO must meet the same independence requirements as a mandatory one.
Does the DPO need to be based in the EU?
GDPR does not require the DPO to be physically located in the EU. A US company can appoint a DPO based anywhere, provided the DPO is reachable by EU data subjects and supervisory authorities and can perform the role properly.
In practice, three things push US companies toward an EU-established or EU-experienced DPO. First, supervisory authority interactions and many enterprise questionnaires are easier when the DPO understands EU regulators directly. Second, the DPO and the EU Representative have to coordinate, and because EDPB guidance treats the two roles as incompatible, they cannot be the same entity, so an EU-based DPO can manage that coordination and help you appoint a separate Representative. Third, when a breach or a regulator inquiry happens, time zone and direct regulator familiarity matter.
Regulated sectors face a higher bar
FinTech, HealthTech, and AI companies face additional layers on top of GDPR, and a generalist DPO is rarely enough.
FinTech companies expanding to the EU process payment data and run KYC and fraud checks, and they also encounter DORA, which raises the bar on operational resilience and third-party vendor oversight. The DPO has to understand how privacy obligations interact with these financial rules.
HealthTech companies cross the special category threshold almost immediately, because health data is special category data under Article 9. Telehealth, diagnostics, mental health, and wellness platforms draw heightened scrutiny and a near-automatic DPO requirement once they operate at scale.
AI companies placing systems on the EU market face the EU AI Act, which introduces risk-classification and governance obligations independent of GDPR and interacts closely with privacy compliance. General-purpose AI providers face additional documentation duties.
For companies in these sectors, the role needs someone who has handled regulated, high-risk processing before.
The timing trap most US companies fall into
Here is where it goes wrong for a lot of US companies. A US tech team, deep in a funding round, gets told by an investor’s counsel that it needs a DPO or EU Representative in place before the round can close, with the clock already running. Both roles can be stood up quickly, but retrofitting under deal pressure costs more time and leverage than appointing them when EU expansion is first planned. The companies that handle this well build EU privacy setup into go-to-market planning, so it is in place before a deal is on the table.
How to set it up
- Confirm whether you offer goods or services to, or monitor, people in the EU. If yes, scope the EU Representative requirement under Article 27.
- Assess whether your processing triggers a mandatory DPO under Article 37. If it does, appoint one. If it does not but customers are asking, consider a voluntary appointment.
- Keep the two appointments separate. EDPB guidance treats the DPO and EU Representative as incompatible roles that cannot be the same entity, though one EU-based partner can act as your DPO and coordinate a separate Representative.
- Notify the relevant supervisory authority of the DPO appointment and publish the DPO contact details.
- Repeat the representative analysis for the UK if you serve UK individuals.
Common mistakes US companies make
- Treating the EU Representative and the DPO as the same role. They are separate appointments.
- Assuming no EU office means no GDPR obligations. Offering services to EU individuals is enough.
- Setting up a dpo@ inbox that nobody monitors. Regulators and customers expect a real, reachable role.
- Forgetting the UK is now separate from the EU and needs its own analysis.
- Choosing a DPO on price alone for regulated or high-risk processing.
Frequently asked questions
Can a US company use one provider for both the EU Representative and the DPO?
Not the same provider. EDPB guidance treats the two roles as incompatible, because the DPO must stay independent while the EU Representative acts on the company’s instructions and can be held liable in enforcement. The clean structure is one provider acting as your DPO and coordinating a separate, independent EU Representative.
Does having EU customers automatically mean we need a DPO?
No. EU customers trigger the EU Representative analysis, not automatically a DPO. The DPO is triggered by large-scale monitoring or special category processing as core activities.
How fast can we get compliant?
An EU Representative can usually be appointed quickly. A fractional DPO can typically be appointed within a few weeks, including onboarding and notification to the supervisory authority.
What does it cost?
An EU Representative typically costs a few hundred euros per month. A fractional DPO for a Seed through Series C tech company typically runs 2,000 to 5,000 euros per month depending on scope and the number of jurisdictions covered, against roughly 120,000 to 180,000 euros per year for a full-time senior hire.
Do we need this before launching in the EU or after?
Ideally before. Enterprise customers and investors increasingly ask for both during due diligence, and retrofitting under deal pressure is harder.
Next step
Engage Compliance offers US companies a free scoping call to map which roles you need, an EU Representative, a DPO, or both, before you enter the EU.
About Engage Compliance
Engage Compliance is an EU-established fractional DPO and privacy compliance practice for tech companies across the EU, UK, and US. Engage assigns a senior DPO to every engagement, backed by an advisor network for continuity. Founder Julian Gage has 15+ years of privacy experience and has served as DPO, Chief Privacy Officer, and Head of Privacy at 100+ companies including Amazon, AbbVie, Medtronic, Coinbase, Hopin, Nestle, IKEA, and Robinhood, plus 100+ start-ups, and holds CIPP/E, CIPM, CIPP/US, and CIA certifications.
