If your business collects, stores, or processes personal data belonging to people in the European Union or the United Kingdom — but your company itself isn’t based there — you almost certainly have a legal obligation you may not have fully acted on yet. GDPR Article 27 requires most non-EU and non-UK organizations to appoint a local representative in each region where they process residents’ data. Ignore that requirement and you’re not just running a compliance risk; you’re handing regulators a straightforward, easy-to-enforce violation that carries fines of up to €20 million or 4% of global annual turnover under the EU GDPR, and equivalent penalties under the UK GDPR.
This guide breaks down exactly what Article 27 demands, who qualifies for an exemption, how EU and UK Representatives differ from a Data Protection Officer (DPO), and what a properly structured compliance setup actually looks like in practice. Whether you’re a US-based SaaS company with European customers, an Australian e-commerce brand shipping into the UK, or a Canadian recruitment firm sourcing candidates from Germany, the rules apply to you — and the steps to get compliant are more straightforward than most lawyers make them sound.
What Is GDPR Article 27 and Why Does It Exist?
GDPR Article 27 sits within Chapter IV of the General Data Protection Regulation, the section that deals with controllers and processors. Its core purpose is straightforward: where an organization based outside the EU processes data about EU residents and does so regularly or on a large scale, that organization must designate a representative physically located within the EU. The representative acts as a local point of contact for both data subjects — the individuals whose data is being processed — and for supervisory authorities like Germany’s BfDI, France’s CNIL, or Ireland’s DPC.
The provision exists because regulators recognized a practical problem early on. Before GDPR came into force in May 2018, non-European companies processing European data were effectively beyond easy regulatory reach. Sending enforcement correspondence to a company headquartered in Silicon Valley or Singapore created logistical headaches. By requiring a local representative, the regulation ensures there’s always a reachable, accountable entity within the jurisdiction — someone a data subject can contact with a subject access request, and someone a supervisory authority can serve with an inquiry or an enforcement notice.
The UK equivalent — found in Article 27 of the UK GDPR, which largely mirrors the EU text following Brexit — exists for the same reasons, applied to the UK’s own data protection framework as administered by the Information Commissioner’s Office (ICO).
Who Needs an EU Representative Under GDPR Article 27?
The obligation applies to controllers and processors not established in the EU whose processing activities relate to data subjects in the EU and either (a) involve the offering of goods or services to those individuals — whether or not payment is required — or (b) involve the monitoring of their behavior, where that behavior takes place within the EU.
In plain terms, if you fall into any of the following categories, you almost certainly need an EU Representative:
- You run a website that accepts orders, sign-ups, or enquiries from EU residents. Having EU-specific pricing, accepting euros, or shipping to EU countries are all strong indicators that you’re “offering goods or services” to EU residents.
- You use cookies or tracking technologies on EU visitors. Behavioral tracking — including analytics platforms, retargeting pixels, and heatmapping tools — constitutes monitoring behavior under the GDPR’s scope provisions.
- You operate a mobile app downloaded by EU users. Even free apps that collect usage data are covered.
- You process employee data for EU-based staff. If you have workers in Germany, France, Spain, or any other member state, you’re processing their data in scope of the GDPR.
- You’re a processor handling EU personal data on behalf of another company. If you’re a cloud provider, payroll processor, or marketing platform whose clients include EU-based businesses, your processing likely falls in scope.
The regulation does carve out an exemption — but it’s narrower than many businesses assume. Article 27(2) states the obligation doesn’t apply where the processing is “occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offenses referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons.” In practice, the European Data Protection Board (EDPB) has consistently interpreted this exemption narrowly. Most commercial processing — even if infrequent — doesn’t qualify because it inherently carries some risk to data subjects’ rights.
Who Needs a UK Representative Under the UK GDPR?
The UK Representative requirement operates in parallel with the EU requirement but is entirely separate. Following Brexit, the UK retained its own version of the GDPR — known as the UK GDPR, sitting alongside the Data Protection Act 2018 — and the ICO enforces it independently of EU supervisory authorities.
If your organization is based outside the UK and processes personal data about UK residents in connection with offering goods or services to them, or monitoring their behavior in the UK, you need a UK Representative. Critically, appointing an EU Representative does not satisfy your UK obligation, and vice versa. A US company processing data from both EU and UK residents needs two separate representatives — one within an EU member state, and one within the UK.
There’s one nuance post-Brexit worth noting: EU-based businesses that previously needed no UK Representative because they were “established in the EU” now need one for their UK processing activities, just as UK businesses now need an EU Representative. The mutual recognition that existed prior to 31 January 2020 no longer applies.
What Does an EU or UK Representative Actually Do?
The Representative’s role is defined by Article 27 in conjunction with Article 4(17), which defines “representative” as a natural or legal person established in the Union designated by the controller or processor in writing. The core functions are:
Acting as a contact point for supervisory authorities. Any supervisory authority that wants to address correspondence or enforcement action to your organization can direct it to the Representative. This doesn’t mean the Representative assumes liability on your behalf — they don’t — but they must be reachable and responsive.
Acting as a contact point for data subjects. Individuals exercising their rights under the GDPR — subject access requests, erasure requests, objections to processing — can address their queries to the Representative. The Representative is expected to handle or forward these to you within the required timeframes.
Maintaining records of processing activities. Under Article 30(3), where Article 27 applies, the Representative must be named in the Records of Processing Activities (RoPA). The Representative may also be required to make those records available to supervisory authorities on request.
Being identified in your Privacy Policy. Your privacy notice must include the identity and contact details of your Representative, so data subjects know who to contact in their region.
What a Representative doesn’t do is make compliance decisions on your behalf, hold legal liability for your violations, or replace the need for a Data Protection Officer where one is required. The Representative is a conduit and a point of contact, not a substitute for your own compliance program.
EU/UK Representative vs. Data Protection Officer: Understanding the Difference
One of the most common sources of confusion in GDPR compliance — particularly for non-European organizations encountering these requirements for the first time — is conflating the EU Representative role with that of a Data Protection Officer. They are distinct obligations, triggered by different conditions, carrying different responsibilities.
| Feature | EU / UK Representative | Data Protection Officer (DPO) |
|---|---|---|
| Legal Basis | GDPR Article 27 / UK GDPR Article 27 | GDPR Articles 37–39 / UK GDPR Articles 37–39 |
| Who Must Appoint | Non-EU/UK controllers and processors in scope of GDPR/UK GDPR | Public authorities; organizations doing large-scale systematic monitoring; organizations processing special category data at scale |
| Location Requirement | Must be physically established in the EU (for EU Rep) or UK (for UK Rep) | No location restriction — can be based anywhere |
| Primary Role | Contact point for regulators and data subjects | Independent oversight of the organization’s compliance; advisory role; liaison with supervisory authority |
| Can Be the Same Person/Entity? | Yes, in some cases — but with care | Yes, if no conflict of interest exists |
| Liability | Representative has no personal liability under GDPR | DPO cannot be dismissed or penalized for performing their tasks |
For non-EU organizations that are also required to appoint a DPO — because, for example, they systematically monitor individuals at scale (think: ad tech, location data, large SaaS platforms) — it’s possible to use a combined service that handles both functions. You can learn more about how an EU Representative and DPO together can be provided as a bundled compliance function, which often makes more practical and commercial sense than sourcing them separately.
How to Formally Appoint an EU or UK Representative
The appointment must be made in writing, under Article 27(1). This means a formal written mandate — typically a service agreement or a letter of appointment — that clearly defines the scope of the Representative’s role, the processing activities they are representing you for, and the channels through which they will operate. A verbal arrangement or a simple email confirmation is not sufficient.
The key steps in a compliant appointment are:
1. Identify your processing activities and confirm the obligation applies. Map out what personal data you process relating to EU or UK residents, for what purposes, and whether the Article 27(2) exemption could legitimately apply. If in doubt, the default position is that it does apply.
2. Select a Representative established in the right jurisdiction. For EU processing, they must be established in an EU member state. Recital 80 of the GDPR notes they should ideally be in a member state where the data subjects whose data you process are located — though any member state is technically permissible. For UK processing, they must be established in the UK. Be aware that representatives based in countries like Switzerland, Norway, or Iceland — which are in the European Economic Area but not the EU — do not satisfy the Article 27 requirement.
3. Execute a written mandate. The mandate should cover: the identity of the Representative; the controller or processor they represent; the categories of processing covered; how they will handle incoming correspondence; escalation procedures for subject rights requests; and the duration and termination conditions of the arrangement.
4. Update your Records of Processing Activities. Your RoPA must include the Representative’s name and contact details under Article 30(3).
5. Update your Privacy Policy and other notices. Your externally facing privacy notice must identify the Representative so data subjects in the EU or UK know they have a local contact. Many organizations add a specific paragraph or a dedicated section covering their Article 27 Representative’s details.
6. Update your DPA template if you’re a processor. If you enter into Data Processing Agreements with clients, those agreements should reference your Representative appointment where relevant.
What Happens If You Don’t Appoint a Representative?
Failure to appoint an EU or UK Representative where the obligation applies is itself a violation of the GDPR — separate from any underlying data protection failures. Under Article 83(4), infringements of Article 27 are subject to administrative fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher.
That said, the practical enforcement risk goes further than the fine itself. An organization that has failed to appoint a Representative is harder to contact and — from a regulator’s perspective — appears less engaged with compliance generally. Supervisory authorities can and do use the absence of a Representative as a marker of broader non-compliance when investigating complaints or conducting audits. The ICO has similarly indicated that failure to appoint a UK Representative is a factor it considers in assessing the severity of an organization’s non-compliance.
There’s also the data subject rights angle. If a UK or EU resident submits a subject access request and there’s no identifiable local contact, their experience of trying to exercise rights becomes an immediate complaint point. Regulators take these complaints seriously, and a pattern of unanswered or hard-to-reach rights requests creates its own enforcement trajectory.
EU Representatives for US and Non-European Companies: Practical Considerations
For US-based organizations in particular, the Article 27 obligation often comes as a surprise — especially for smaller tech companies, agencies, and e-commerce businesses that didn’t realise the GDPR applied to them at all. The key thing to understand is that GDPR jurisdiction is determined by the location of the data subject, not the location of the processor. If your website is accessible from France and a French resident uses it, the GDPR applies to that interaction.
US companies often ask whether they can simply appoint their EU-based counsel as their representative. The answer is technically yes — but there are practical reasons why a specialist representative service is often preferable. A law firm acting as Representative faces potential conflicts of interest if it also advises on the very compliance issues it might be asked to report on. Specialist Article 27 representative services are structured specifically for the function, typically offer lower costs, and carry appropriate professional indemnity insurance.
When selecting a representative service, look for: physical establishment in the target jurisdiction (not just a registered address); a clear, documented process for handling supervisory authority correspondence and data subject requests; an articulated turnaround standard for escalating requests to you; and clarity on what happens if the representative ceases trading or terminates the arrangement.
When Do You Also Need a DPO?
The obligation to appoint a Data Protection Officer under Articles 37–39 of the GDPR is separate from, and cumulative with, the Article 27 Representative requirement. You may need one, the other, or both. The DPO requirement is triggered when:
You are a public authority or body (with limited exceptions for courts acting in their judicial capacity).
Your core activities involve large-scale systematic monitoring of individuals. The EDPB’s guidance on DPOs identifies “systematic monitoring” as including online behavioral tracking, location data processing, and building detailed profiles of individuals for advertising or other commercial purposes. If your business model depends on processing data at scale to understand and predict user behavior, the DPO obligation very likely applies.
Your core activities involve large-scale processing of special category data. Special categories include health data, genetic data, biometric data used for identification, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and data concerning sex life or sexual orientation. Businesses in health tech, clinical research, HR analytics, and similar sectors should pay particular attention here.
The DPO must be appointed based on their professional qualities and expert knowledge of data protection law, must be given the resources necessary to carry out their tasks, and must be able to operate independently. They cannot be dismissed or penalized for performing their DPO function. For many small and medium-sized organizations, appointing an external DPO — sometimes called an outsourced or virtual DPO — is more practical and cost-effective than maintaining an in-house role. You can read more about how to outsource Data Protection Officer work and what to look for in a qualified provider.
Can One Provider Cover Both the EU Representative and DPO Role?
Yes — and for many non-European organizations, this is the most efficient approach. A combined EU Representative and DPO service means a single provider handles both the formal Article 27 contact point function and the Article 37–39 oversight and advisory function. There are, however, some important caveats.
The DPO role requires independence. Article 38(6) allows the DPO to fulfill other tasks and duties, provided there’s no conflict of interest. A combined Representative/DPO provider must be structured so that the DPO function isn’t compromised by the Representative function — in practice, this means robust internal procedures for separating the two roles and clear contractual language about independence.
For most non-EU organizations that are large enough to require a DPO, engaging a specialist compliance firm that offers both services together is a reasonable and commonly adopted solution. It reduces vendor management complexity, typically results in better integration between the two functions, and means a single point of accountability for your EU-facing compliance obligations.
Article 30 and Records of Processing: The Representative’s Administrative Role
Article 30(3) states that the obligation to maintain Records of Processing Activities (RoPA) also applies to representatives of controllers or processors. In practice, this means your EU or UK Representative should hold — or have ready access to — an up-to-date copy of your RoPA, and must be prepared to make those records available to the relevant supervisory authority upon request.
This is an important administrative function that often gets overlooked when organizations first establish their Representative arrangement. A well-run service will include a process for you to provide an updated RoPA when your processing activities change, and will maintain a copy in a format that can be quickly disclosed if a regulator comes asking. If your Representative has no idea what data you process or for what purposes, that’s a gap in your compliance posture.
If you’re building or updating your RoPA as part of a broader GDPR compliance program, make sure the Representative’s identity is included in the document from the outset.
Privacy Notices, Transparency, and the Article 13/14 Obligation
Articles 13 and 14 of the GDPR require controllers to provide data subjects with certain information at the point of collection (Article 13) or within a reasonable time where data is obtained indirectly (Article 14). One of the required information items — listed at Article 13(1)(a) and 14(1)(a) — is the identity and contact details of the controller and, where applicable, the controller’s representative.
This means your privacy notice must name your EU Representative and provide their contact details. Regulators do check this. A supervisory authority investigating a complaint will often look at a company’s privacy policy as one of the first steps, and absence of Representative details is a quick indicator of broader non-compliance. The same applies under UK GDPR — your privacy notice for UK processing should identify your UK Representative.
Keep in mind that your Representative’s contact details in the privacy policy must be kept current. If you change Representative provider, update your privacy policy promptly — failing to do so means data subjects are directed to an entity that no longer holds that responsibility.
Article 27 and International Data Transfers
One area where the Representative obligation intersects with another major GDPR compliance requirement is cross-border data transfers. If you’re a non-EU processor receiving data from EU-based controllers — for example, a US SaaS platform that processes data on behalf of EU clients — you need both an appropriate transfer mechanism (Standard Contractual Clauses, adequacy decision, or similar) and an EU Representative under Article 27.
The two requirements operate independently, but they are often addressed together in a comprehensive cross-border data transfer and compliance review. Your Representative should be aware of the transfer mechanisms in place and be able to speak to them if a supervisory authority raises questions. For more on the implications of cross-border data flows, see our overview of data privacy compliance for international operations.
Common Mistakes Organizations Make With Article 27 Compliance
After working with businesses across a range of sectors and sizes on their GDPR compliance programs, a handful of recurring mistakes stand out when it comes to the Article 27 Representative requirement:
Assuming the exemption applies when it doesn’t. The Article 27(2) exemption is genuinely narrow. “Occasional” doesn’t mean infrequent in the colloquial sense — it means genuinely incidental and outside the core commercial purpose of the organization. Most businesses processing customer, user, or employee data don’t meet that bar.
Using a registered address rather than a physical establishment. The GDPR requires “establishment” in the EU or UK, which the EDPB has interpreted to require a real presence — not merely a legal address with no operational substance. A virtual office or a post-forwarding service is unlikely to satisfy regulators.
Appointing a Representative but failing to update the privacy policy. The appointment is only complete when data subjects can actually find the Representative’s details. An appointment document sitting in a filing system that nobody can access serves nobody.
Treating the Representative as a compliance substitute. A Representative doesn’t replace the need for internal data protection policies, staff training, breach notification procedures, or any other element of a GDPR compliance program. Their role is specifically defined by Article 27.
Not providing the Representative with sufficient information. Your Representative needs to know what personal data you process, on what legal basis, for what purposes, and with what retention periods — at minimum. Without that, they can’t meaningfully respond to a supervisory authority inquiry or handle a data subject request appropriately.
How Captain Compliance Can Help With EU/UK Representative and DPO Services
At Captain Compliance, we work with businesses of all sizes to navigate GDPR and UK GDPR obligations — from the practical steps of appointing a Representative to building out full compliance programs. We understand that for growing businesses, compliance has to be practical, proportionate, and commercially sensible. That means clear advice on what you actually need — not a sprawling project scoped for a Fortune 500 with a 50-person compliance team.
Whether you need an EU Representative, a UK Representative, an outsourced DPO, or help understanding how these obligations fit into your broader GDPR compliance program, we can help you build a setup that’s robust without being unnecessarily complex. The goal isn’t just to check a box — it’s to have a compliance posture that holds up under scrutiny and builds genuine trust with your customers and partners.
Frequently Asked Questions
Does GDPR apply to companies outside the EU?
Yes. GDPR applies to any organization — regardless of where it is based — that processes personal data of individuals who are in the EU, where that processing is connected to offering goods or services to those individuals or monitoring their behavior within the EU. The regulation’s extra-territorial scope, set out in Article 3(2), is one of its most significant features and one that many non-European businesses still underestimate.
Can one representative cover both the EU and UK?
No. The EU GDPR and UK GDPR are separate legal instruments. Your EU Representative must be physically established in an EU member state, and your UK Representative must be physically established in the UK. The same individual or entity can theoretically hold both mandates only if they have genuine establishments in both jurisdictions — which is uncommon. In practice, most organizations appoint separate representatives for each.
What is the fine for not appointing an EU Representative?
Under GDPR Article 83(4), failure to comply with Article 27 (the Representative obligation) is subject to administrative fines of up to €10 million, or 2% of total worldwide annual turnover in the preceding financial year, whichever is higher. Under the UK GDPR, equivalent penalties apply, administered by the ICO, with fines up to £8.7 million or 2% of global annual turnover.
Is a DPO the same as an EU Representative?
No. These are two separate roles with different legal bases, different triggering conditions, different functions, and different accountability structures. The EU Representative is required under Article 27 for non-EU organizations in scope. The DPO is required under Article 37 for certain categories of organization based on the nature and scale of their processing. One organization may need both, either, or neither, depending on its circumstances.
Can I appoint my lawyer as my EU Representative?
Technically yes, provided your lawyer is physically established in an EU member state. However, there are potential conflicts of interest if the same firm advises you on compliance matters and acts as your Representative. Many specialist representative services are set up specifically for the Article 27 function and are structured to avoid the conflicts that arise in a law firm context. They also tend to be more cost-effective for this specific purpose.
When did the UK Representative requirement come into effect?
The UK GDPR — including the Article 27 Representative requirement — came into effect on 1 January 2021, when the post-Brexit transition period ended and the UK became a third country from the EU’s perspective. From that date, non-UK organizations in scope of the UK GDPR need to appoint a UK Representative, and UK organizations that process EU residents’ data need to appoint an EU Representative.
