Loading…
Article 27 GDPR requires non-EU controllers and processors that offer goods or services to people in the EU, or that monitor the behaviour of people in the EU, to designate a Representative in writing established in one of the EU Member States where those data subjects are located. The Representative is the single point of contact for Supervisory Authorities and data subjects.
There are two narrow exemptions: (1) occasional, low-risk processing that excludes special-category and criminal-conviction data, and (2) public authorities and bodies. Misunderstanding these exemptions is the most expensive mistake non-EU businesses make.
Failure to designate a Representative is a category-4 violation of Article 83(4) — fines up to €10 million or 2% of global annual turnover, whichever is higher. Several Supervisory Authorities (CNIL, the Hamburg DPA, Spain's AEPD) have actively enforced this since 2021.
Article 27(1) GDPR reads:
"Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union."
That short sentence creates a major operational obligation. Article 3(2) — the extraterritorial scope clause — applies whenever processing relates to: (a) offering goods or services to data subjects in the EU, or (b) monitoring data subjects' behaviour in the EU.
The Representative is therefore a structural attachment to non-EU processing: an in-Union mailbox, point of contact, and accountability hook. They sit between your non-EU operations and the EU's 27 national Supervisory Authorities.
You need a Representative if you tick all four of these boxes:
Two clarifications matter in practice:
Article 27(2) provides two narrow exemptions:
Processing that is (a) occasional, (b) does not include, on a large scale, special-category data under Article 9 or criminal-conviction data under Article 10, and (c) is unlikely to result in a risk to the rights and freedoms of natural persons, considering nature, context, scope, and purposes, is exempt.
All three conditions must be satisfied. The EDPB Guidelines 3/2018 are strict about "occasional" — it means one-off or sporadic, never regular business operations. Continuous tracking, recurring analytics, or any ongoing data flow rarely qualifies.
Public authorities and public bodies are not required to designate a Representative. This exemption is rarely operative for commercial businesses but is relevant for foreign government agencies, central banks, and international organisations.
Article 27(4) defines the Representative's role:
"The representative shall be mandated by the controller or processor to be addressed, in addition to or instead of the controller or the processor, by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation."
Crucially, the Representative is not a substitute for a DPO. The two roles can be held by different parties, and the DPO obligation (Art. 37) is triggered by different criteria.
Article 27(3) requires the Representative to be established in one of the Member States where the data subjects whose personal data is being processed are located. In practice, you have flexibility: if your EU users are spread across multiple Member States, you can pick the one whose Supervisory Authority best matches your operating model.
Common choices: Ireland (English-language, friendly to tech), Germany (more SAs to coordinate but strict), the Netherlands (English-fluent regulator), France (CNIL has strong enforcement reputation), and Spain (AEPD with active enforcement).
The mechanics:
The Representative's identity and contact details must be communicated to data subjects (Articles 13(1)(a) and 14(1)(a)). Concretely, this means including the name, postal address, and contact email of the Representative in:
Failure to publish the Representative is itself a violation of transparency obligations (Article 12), subject to lower-tier fines under Article 83(4).
Article 27(5) is unambiguous: the designation of a Representative does not affect the legal actions that could be initiated against the controller or processor itself. The Representative does not assume liability for the controller's underlying violations.
However, the Representative may be subject to enforcement actions related to its own obligations — making the records available, cooperating with Supervisory Authorities, and being reachable. A Representative that fails to perform its mandated function risks suspension by the appointing controller and reputational damage in the Representative-services market.
Failure to designate a Representative is a violation of Article 27 itself — a category-4 violation under Article 83(4) GDPR. The applicable fine ceiling is:
Enforcement has been steady since 2021. Notable cases include CNIL's actions against US-based ad-tech, Hamburg's investigation of foreign analytics providers, and AEPD's findings against international advertising networks. Even when not the sole basis of a fine, the absence of a Representative often signals a broader compliance gap that aggravates penalties.
UK GDPR Article 27 mirrors the EU obligation but applies to non-UK controllers and processors targeting individuals in the UK. Since 1 January 2021, the EU and UK Representatives are separate roles — you need both if you target both.
Operational tip: many businesses appoint a Representative provider that offers both EU and UK representation through aligned legal vehicles, avoiding duplicate processes for breach reporting, ICO/EDPB communication, and data-subject inquiries.
No. The Representative must be established in the EU/EEA. Switzerland (despite its FADP equivalence) is outside the EEA for this purpose. Iceland, Liechtenstein, and Norway qualify.
Before you commence the in-scope processing, in principle. In practice, Supervisory Authorities treat the appointment as required to be in place before substantive processing of EU data subjects. Retroactive appointment is not a defence against past non-compliance.
Only if the entity satisfies the independence and expertise requirements of Article 37–39. Most dedicated Representative providers offer both as separate services through separate teams to avoid conflicts.
You must designate a replacement and update your published notices promptly. A gap in Representative coverage during continued processing of EU data subjects is a violation.
No. One Representative covers all EU/EEA processing. The Representative is established in one Member State; the choice of which Member State depends on where your data subjects are predominantly located.
Not by itself — the CDN provider is a processor under its own obligations. The question is whether your underlying business activity targets or monitors EU users. Most do.
RegulatoryBridge provides Article 27 EU Representative and UK Representative services across all 27 EU Member States. Single point of contact, multilingual support, transparent fixed pricing, full Supervisory Authority coverage.