What Is GDPR Article 27?

GDPR Article 27 requires controllers and processors not established in the European Union to designate, in writing, a representative in the EU. This representative acts as a point of contact for supervisory authorities and data subjects regarding all issues related to data processing.

The requirement applies when a non-EU organization processes personal data of individuals in the EU, either by offering them goods or services, or by monitoring their behavior within the EU.

Who Must Appoint an EU Representative?

The obligation applies to any controller or processor that:

  • Is not established in the EU — meaning no stable legal presence in any EU member state
  • Processes personal data of EU residents — including names, email addresses, IP addresses, and behavioral data
  • Offers goods or services to EU residents — even free services count if they target the EU market
  • Monitors behavior of EU residents — including website analytics, tracking, profiling, and ad targeting

Narrow Exemptions

Article 27(2) provides limited exemptions for:

  • Processing that is occasional, does not include large-scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of natural persons
  • Public authorities or bodies

In practice, most commercial organizations with recurring EU users or customers do not qualify for these exemptions. The European Data Protection Board has interpreted "occasional" narrowly.

What Does an EU Representative Do?

The representative's responsibilities include:

  • Receiving communications from supervisory authorities on behalf of the controller/processor
  • Receiving requests from data subjects exercising their rights
  • Maintaining records of processing activities (Article 30)
  • Cooperating with supervisory authorities during investigations

Why Licensed Attorneys Make Better Representatives

While GDPR does not require the representative to be a lawyer, there are significant advantages to choosing one:

  • Substantive responses: When a supervisory authority contacts your representative, they expect qualified engagement — not mail forwarding
  • Risk assessment: Attorneys can evaluate the legal implications of regulatory inquiries before escalating to your team
  • Incident coordination: Data breach responses require legal judgment about notification obligations and authority engagement
  • Regulatory language: Attorneys understand the formal language and procedural expectations of EU supervisory authorities

At rep4eu, both co-founders are licensed German Rechtsanwälte with decades of data protection experience. This means your representative doesn't just receive mail — they understand what it means and how to respond.

Penalties for Non-Compliance

Failure to appoint an EU representative when required is itself a GDPR violation. While the penalty for this specific infringement is classified under Article 83(4) (lower tier, up to €10 million or 2% of global turnover), non-compliance with Article 27 often accompanies other violations that fall under the higher tier (up to €20 million or 4%).

Beyond fines, the practical consequences include:

  • Blocked enterprise deals due to visible compliance gaps
  • Regulatory investigations triggered by data subject complaints
  • Reputational damage from public enforcement actions

How to Get Started

Appointing an EU representative is straightforward:

  1. Assess your obligation — Use our free risk assessment to determine if Article 27 applies
  2. Choose your representative — Select a provider with legal expertise, not just a postal address
  3. Sign the designation agreement — A formal written agreement between your organization and the representative
  4. Update your privacy notices — Include the representative's name and contact details
  5. Notify authorities if required — Your representative handles this on your behalf

With rep4eu, this process typically takes 24-48 hours from documentation to full designation.