In one sentence. GDPR Article 27 requires non-EU controllers and processors subject to the GDPR under Article 3(2) (targeting EU data subjects or monitoring their behavior) to designate an EU-based representative — a natural or legal person who acts as the contact point for supervisory authorities and data subjects in the EU. The representative is separate from the DPO, must be based in a Member State where EU data subjects are, and exposes itself to potential enforcement actions on behalf of the controller.
Article 27 is the GDPR’s enforcement bridge to non-EU companies. Without an EU representative, supervisory authorities would have limited practical recourse against a US, UK, or APAC company processing EU data. The representative makes the controller “reachable” — and, increasingly, enforceable.
For related obligations: GDPR applies outside the EU, Article 28 sub-processor obligations. For DPO distinction: GDPR DPO designation.
Key takeaways
- Article 27 applies to non-EU controllers and processors caught by Article 3(2) — targeting or monitoring EU subjects.
- Representative must be established in a Member State where the affected EU subjects are.
- Two narrow exemptions: occasional processing AND not special category data AND no risk to data subjects, OR public authority/body.
- Representative is separate from DPO — different role, different liability.
- The representative is the contact point for supervisory authorities and data subjects.
1. Article 27 — who must designate
Article 27(1) requires designation of an EU representative when all these conditions are met:
- The controller or processor is not established in the Union
- They are subject to the GDPR under Article 3(2) — i.e., they:
- Offer goods or services to data subjects in the Union, OR
- Monitor behavior of data subjects in the Union
- No exemption applies (see below)
Typical Article 27 cases
- US SaaS company with EU customers
- UK e-commerce post-Brexit selling to EU consumers
- Asian app developer with EU users
- Australian/Canadian B2B platform with EU clients
Cases NOT requiring Article 27
- EU company with EU customers (in scope of Article 3(1), but no representative needed)
- US company with NO EU customers (not in scope of GDPR)
- US company whose EU customers are exclusively businesses NOT representing data subjects in the EU
2. The two exemptions (Article 27(2))
The obligation does not apply to:
(a) Occasional processing without special categories or risk
- Processing is occasional (not regular or systematic)
- Does not include special categories of data on a large scale (Article 9) or criminal data (Article 10)
- Is unlikely to result in a risk to rights and freedoms of natural persons
All three conditions must be met. In practice, very few B2C operations qualify — most have at least some risk.
(b) Public authorities or bodies
Non-EU public authorities (e.g., foreign government agencies) are exempt.
3. Where the representative must be established
Article 27(3): the representative must be established in one of the Member States where the data subjects whose personal data are processed are located.
For pan-EU operations: the representative is typically established in the country where the largest concentration of data subjects is, OR a country chosen for legal certainty (Ireland and Luxembourg are common choices).
4. Role and obligations of the representative
The representative must:
- Be designated in writing
- Be mandated by the controller/processor to be addressed by supervisory authorities and data subjects on all issues related to processing
- Maintain the ROPA of the controller (Article 30)
- Cooperate with supervisory authorities (Article 31)
- Be identified in the privacy notice (Article 13)
- Be accessible to data subjects in their language (typically)
5. The representative’s liability
Article 27(5) Recital 80: the designation of a representative does not affect the responsibility or liability of the controller or processor.
But practically, the representative:
- Can be named in enforcement actions by supervisory authorities
- Can be served with administrative penalties (the EDPB confirmed this in Guidelines 3/2018)
- Has Limited but Real personal exposure
Several Article 27 representatives have been added to enforcement actions in 2023-2025, reinforcing that this is not a formality.
6. Representative vs DPO — different roles
| Aspect | EU Representative (Art. 27) | DPO (Art. 37-39) |
|---|---|---|
| Purpose | Enforcement contact point | Advisor on compliance |
| Required for | Non-EU controllers/processors under Art. 3(2) | Specific cases (Art. 37(1)) |
| Location | EU Member State of data subjects | Anywhere (but reachable from EU) |
| Independence | Not required to be independent | Independent (Art. 38(3)) |
| Liability | Can be co-named in sanctions | Not liable (Art. 38(3)) |
| Same person OK? | Usually not — conflict of role | — |
A single entity cannot serve as both representative and DPO due to potential conflict of interest.
7. How to designate a representative
Step 1 — Identify whether you need one
- Are you established outside the EU?
- Are you subject to GDPR under Article 3(2)?
- Do you fall under an exemption?
Step 2 — Choose a representative
Options:
- Specialized representative service (€1,500-€5,000/year)
- EU subsidiary or affiliated entity (if you have one)
- Law firm with GDPR expertise in an EU Member State
Major providers: VeraSafe, DPN, Prighter, MAPP DPM, EU-Rep, multiple law firms.
Step 3 — Sign the mandate
Written designation specifying:
- Identity of the representative
- Scope of authority
- Term of designation
- Cooperation arrangements
Step 4 — Notify in your privacy notice
Article 13/14 requires disclosure of the representative’s identity and contact details.
Step 5 — Configure for supervisory authority access
- Contact information published
- Multilingual support if pan-EU
- Process for handling complaints / inquiries
8. Cost of an EU representative service
| Service tier | Cost (annual) | Typical scope |
|---|---|---|
| Basic | €1,500 - €2,500 | Contact point, mandatory disclosure |
| Standard | €3,000 - €5,000 | + ROPA hosting, DSR coordination |
| Premium | €5,000 - €15,000 | + DPIA support, compliance audits |
For a startup or SMB, the basic tier suffices initially. For mid-market with significant EU exposure, standard is recommended.
9. Sanctions for non-designation
Article 83(4)(a) — up to €10M or 2% of global annual turnover.
Notable cases:
- Clearview AI (multiple EU DPAs, 2022-2024) — multiple sanctions partly citing Article 27 non-designation
- Various US data brokers — increasing CNIL sanctions for absence of EU representative
The EDPB Guidelines 3/2018 confirmed that Article 27 non-designation is a standalone violation — not just an aggravating factor.
10. UK GDPR — separate representative
Post-Brexit, the UK GDPR also requires non-UK controllers targeting UK data subjects to designate a UK representative. This is separate from the EU representative. A US company with both EU and UK customers needs:
- EU representative (Article 27 EU GDPR)
- UK representative (UK GDPR equivalent)
Some providers offer combined EU + UK representation packages.
11. Implementation checklist
For non-EU companies:
- ☐ Article 3(2) applicability assessed (offering goods/services or monitoring EU subjects)
- ☐ Exemption analysis documented (if claiming exemption)
- ☐ Representative chosen (in-house or service provider)
- ☐ Written mandate signed
- ☐ Representative identified in privacy notice (Article 13/14)
- ☐ ROPA accessible to representative (Article 30)
- ☐ DSR / inquiry handling procedure aligned with representative
- ☐ UK representative also designated if applicable
12. Tooling
For US/UK/APAC SaaS companies subject to GDPR, Legiscope provides EU representative coordination as part of the platform — DSR routing, ROPA maintenance accessible to the representative, supervisory authority communication workflow.
For related deep-dives: GDPR applies outside the EU, GDPR DPO designation, Article 28 sub-processor, data privacy compliance guide.
Conclusion
Article 27 is the enforcement bridge that makes the GDPR practically applicable to non-EU companies. Cost of compliance is modest (a few thousand euros per year for a service). Cost of non-compliance is significant — both the direct sanction (€10M or 2% of turnover) and the reputational damage of being named in an EDPB-coordinated enforcement action.
FAQ
Who needs an EU representative under GDPR?
Non-EU controllers and processors subject to GDPR under Article 3(2) — those targeting EU data subjects or monitoring their behavior. Two narrow exemptions: occasional processing without special category data AND no risk, OR public authority.
Where must the representative be established?
In one of the Member States where the affected EU data subjects are located. For pan-EU operations, the representative is typically in the country with the largest concentration of users, OR Ireland/Luxembourg for legal certainty.
Can the EU representative also be the DPO?
Generally no — conflict of role. The representative is an enforcement contact point; the DPO is an independent compliance advisor. Different liability regimes.
Is the EU representative liable for the controller’s violations?
The controller remains primarily responsible (Recital 80). But the representative can be named in enforcement actions and served with administrative penalties — confirmed by EDPB Guidelines 3/2018.
How much does an EU representative service cost?
€1,500-€5,000/year for basic to standard service. Premium services with DPIA support and compliance audits range €5,000-€15,000.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
