If your US company collects leads from France, sells subscriptions in Germany, or tracks app users in Spain, Article 27 is not a side issue. The article 27 gdpr requirements can apply even when you have no office, staff, or legal entity in Europe, and regulators, enterprise buyers, and privacy teams increasingly know to look for that gap.
This is where many non-EU businesses get caught. They assume GDPR only matters if they are "based" in the EU. That is wrong. GDPR reaches companies outside Europe when they offer goods or services to people in the EU, or monitor their behavior there. Once that threshold is met, Article 27 often requires you to appoint an EU representative.
That requirement is not paperwork for paperwork's sake. It creates a named, reachable point of contact inside the EU for supervisory authorities and data subjects. If you skip it, your privacy notice can show the omission in plain sight. Procurement teams notice it. Regulators notice it. Sophisticated customers notice it.
What Article 27 GDPR requirements actually say
At a practical level, Article 27 requires certain controllers and processors outside the EU to designate a representative in the Union, in writing. That representative acts on your behalf regarding your GDPR obligations. The appointment must cover the member states where the affected individuals are located.
The representative is meant to be available to supervisory authorities and to data subjects on issues related to processing. That means this is not just about listing an address. It is about having a real contact point that can receive inquiries, route requests, and support a response that makes legal and operational sense.
For US businesses, this matters because the requirement is triggered by activity, not by corporate footprint. A Delaware company with no European subsidiary can still need an EU representative if it markets to EU residents, accepts orders from them, localizes pricing, runs EU-targeted ads, or tracks their behavior through cookies, analytics, pixels, device fingerprinting, or app telemetry.
Who needs an EU representative under Article 27?
The starting question is simple: are you a controller or processor that is not established in the EU, but your processing falls under GDPR because you target or monitor people in the EU? If yes, Article 27 is likely in play.
Controllers are usually the businesses deciding why and how personal data is used. Processors handle personal data on behalf of someone else. Both can be caught by Article 27. A SaaS vendor in the US may be a controller for its own marketing data and a processor for customer data inside the platform. Either role can trigger the requirement depending on the facts.
Common examples include ecommerce brands shipping to EU customers, B2B SaaS companies onboarding EU users, mobile apps tracking in-app behavior, adtech businesses profiling visitors, HR platforms serving multinational employers, and US service providers processing EU personal data for clients.
The legal test sounds narrow, but in business reality it covers a lot of companies. If your website references EU users, supports EU currencies, ships to EU countries, or runs campaigns intentionally aimed at EU markets, arguing that you are not offering goods or services to people in the EU can be difficult.
When Article 27 does not apply
There are exceptions, but they are narrower than many companies hope.
You may not need an EU representative if the processing is occasional, does not include large-scale processing of special category data or criminal offense data, and is unlikely to result in a risk to the rights and freedoms of individuals. Public authorities are also outside the requirement.
The word occasional does a lot of work here. If you routinely sell to EU customers, maintain user accounts for EU residents, run recurring campaigns into EU markets, or continuously analyze user behavior, that is not occasional in any normal business sense. The exception also becomes hard to defend when your processing is tied to revenue generation, product analytics, or ongoing customer support.
This is one of the biggest mistakes companies make. They latch onto the exception because it sounds available, but their actual operations tell a different story. If your EU-facing activity is regular, intentional, and part of your business model, assume regulators will see it that way too.
What your EU representative must do in practice
A compliant appointment is more than a name in a privacy notice. The representative should be formally designated in writing and positioned to handle inbound contact from both supervisory authorities and data subjects.
In practice, that means the representative should be able to receive authority inquiries, route data subject requests, support incident response coordination, and maintain enough awareness of your processing to respond credibly. A passive mailbox service may give you an address, but it may not give you meaningful legal handling when a regulator asks questions or a complaint arrives.
That distinction matters. Article 27 creates an accountability mechanism. If your representative cannot do more than forward emails, you may have solved the appearance issue without solving the operational one. For businesses facing procurement review, diligence requests, or actual regulator contact, that is a weak position.
A serious representative arrangement usually includes written designation documents, clear intake and escalation procedures, and alignment with your privacy notice, records, and incident workflows. If none of that exists, the appointment may look thin when tested.
Article 27 GDPR requirements for your privacy notice and records
One visible requirement is disclosure. If Article 27 applies, your privacy notice should identify your EU representative and provide their contact details. This is often where non-compliance becomes obvious. A buyer, auditor, or regulator can read the notice and immediately see whether the designation exists.
Your internal compliance records also need to match reality. If a representative is appointed, your documentation should reflect who they are, what they handle, how requests are escalated, and who inside your company owns the relationship. If your legal page lists a representative but your team has no process for using them, the gap will show up under pressure.
That is why Article 27 should not be treated as a line item to check off. It has to connect to your actual response operations.
The business risk of getting Article 27 wrong
The risk is not limited to theoretical fines. Yes, Article 27 is part of GDPR and can carry enforcement consequences. But many companies feel the pain earlier in sales, vendor review, and trust.
Enterprise customers increasingly ask non-EU vendors whether they have an Article 27 representative. Security questionnaires, privacy addenda, and procurement reviews often surface the issue. If your answer is vague, deals can slow down. If your privacy notice is visibly missing the representative where one is required, legal teams may see that as a broader compliance warning sign.
There is also an operational risk. If a data subject exercises rights or a supervisory authority reaches out, delays and mishandling create unnecessary exposure. The wrong provider can leave your team scrambling to interpret legal requests after the fact.
This is why the cheapest option is not always the cheapest outcome. A mailbox provider may look sufficient until something actually happens.
How to meet article 27 gdpr requirements without overbuilding
Most non-EU companies do not need to build a European legal function from scratch. They do need to put real structure in place.
Start by confirming whether your business targets or monitors people in the EU, and whether any exception is realistically available. Then identify whether you act as controller, processor, or both. From there, appoint an EU representative in writing, update your privacy notice, and make sure the representative can actually handle inbound matters instead of just relaying them.
You should also align internal owners. Your legal, privacy, security, and support teams need to know what happens if a regulator contacts the representative, if a rights request is routed through them, or if an incident affects EU individuals. Speed matters, but so does substance.
For many US companies, the sensible route is a lawyer-led service that combines formal designation with response capability. That is the difference between buying an address and putting a defensible compliance function in place. Services like rep4eu are built around that distinction.
What regulators and buyers expect
They do not expect perfection. They do expect seriousness.
If Article 27 applies to your company, you should be able to show that you identified the requirement, formally appointed a representative, disclosed them properly, and built a process for handling inquiries. If you cannot do that, you are exposed in a way that is easy for outsiders to spot.
The right move is usually straightforward: fix the gap before a regulator, customer, or diligence team finds it for you. Article 27 is one of those GDPR requirements that looks small until it becomes the detail that holds up a contract or invites the wrong kind of attention. A credible representative does more than satisfy a legal formality - it gives your business a stable point of defense when Europe comes knocking.