A lot of non-EU companies assume Article 27 is somebody else’s problem until a customer questionnaire, DPA review, or regulator email proves otherwise. If you are asking when is article 27 required, the short answer is this: if your company is outside the EU, has no EU establishment, and still targets or monitors people in the EU, you may need to appoint an EU representative even if you are small, remote, and have never set foot in Europe.
That requirement catches more US businesses than they expect. SaaS companies with EU signups, ecommerce brands shipping to Germany or France, app developers tracking user behavior, and B2B vendors marketing to EU prospects all end up in the same place. The real issue is not whether you intended to trigger GDPR. It is whether your business activity actually did.
When is Article 27 required?
Article 27 is required when a controller or processor is not established in the EU but falls within the territorial scope of GDPR under Article 3(2). In plain terms, that usually means your company is based outside the EU and either offers goods or services to people in the EU or monitors their behavior in the EU.
Those two triggers matter more than many companies realize. “Offering goods or services” does not require a local office, local entity, or local team. If your website accepts EU orders, your pricing or marketing speaks to EU users, or your sales process clearly welcomes EU customers, regulators can treat that as targeting the EU market.
“Monitoring behavior” is also broader than companies expect. It can include tracking users for analytics, profiling for advertising, location tracking, behavior-based personalization, or any structured observation of how people act online. If your business model depends on watching what EU users do, Article 27 should already be on your radar.
The three-part test most non-EU companies should use
The cleanest way to assess whether Article 27 applies is to ask three questions.
First, are you established outside the EU? If your company is US-based or otherwise organized outside the EU, that part is usually easy.
Second, do you lack an EU establishment? A few customers in Europe do not create an establishment by themselves. But a real operational presence might. If you have a stable office, branch, or meaningful business presence in the EU, your analysis changes. Many non-EU companies, though, have revenue from Europe without any actual EU establishment.
Third, are you subject to GDPR because you target or monitor individuals in the EU? If the answer is yes, Article 27 is often required unless a narrow exemption applies.
That last point is where most mistakes happen. Companies spend too much time asking whether they are “doing business in Europe” in a corporate sense and not enough time looking at what their websites, apps, ads, and customer journeys actually do.
Common trigger scenarios
A US ecommerce brand that ships to multiple EU countries, displays EU shipping options, and collects customer account data is a classic case. So is a SaaS company with EU users, especially if it runs product analytics, account-based marketing, support logs, and usage tracking.
A mobile app developer can trigger Article 27 even faster. If the app is available to EU residents and collects device data, behavior data, geolocation, or advertising identifiers, that is often enough to create GDPR exposure.
B2B companies are not exempt just because they sell to businesses. If they collect personal data from EU-based contacts, market to named individuals, track website visitors from the EU, or process employee data on behalf of EU clients, Article 27 may still apply.
Processors need to pay attention too. If your company provides services to customers that involve handling personal data of people in the EU, and you are outside the EU with no establishment there, Article 27 is not just a controller issue. It can apply to processors as well.
When Article 27 may not be required
There are exemptions, but they are narrower than many privacy policies suggest.
The main exemption is for processing that is occasional, does not include large-scale processing of special category or criminal data, and is unlikely to result in a risk to individuals’ rights and freedoms. That sounds useful until you apply it to a real business.
“Occasional” is the stumbling point. If your company regularly sells into the EU, runs ongoing marketing campaigns there, supports EU customer accounts, or continuously collects analytics from EU visitors, your processing is not occasional. It is part of your operating model.
The risk test is not a free pass either. Even ordinary business processing can create rights-related risk depending on volume, tracking, profiling, retention, and cross-border handling. Add special category data, HR data, health data, children’s data, or anything remotely sensitive, and the exemption argument gets weaker fast.
Public authorities and bodies cannot rely on this exemption at all.
The most common bad assumptions
One bad assumption is that Article 27 only applies if you have a lot of EU customers. GDPR does not set a revenue threshold or minimum user count for this requirement. A modest but deliberate EU customer base can be enough.
Another is that English-only websites are safe. They are not. If you ship to the EU, contract with EU customers, or otherwise make your service available there, language alone will not save the analysis.
A third is that a cookie banner or privacy policy fixes the issue. It does not. Article 27 is about appointing a representative in the EU. Disclosure without actual designation leaves a visible compliance gap.
Then there is the mailbox trap. Some companies know they need a representative and pick the cheapest address provider they can find. That may satisfy a procurement checklist on paper, but it does not help much when a supervisory authority reaches out, a data subject complaint lands, or a client wants evidence of real legal coordination. Representation is not just receiving mail. It is part of your enforcement posture.
Why this matters beyond fines
Article 27 is often treated as a technical GDPR detail. It is not. It shows up in customer diligence, contract reviews, security assessments, and regulator-facing documentation. If your company is visibly subject to GDPR and has no EU representative where one is required, that gap is easy to spot.
For US businesses, the commercial consequences can hit before any regulator does. EU prospects may hold up deals. Enterprise customers may escalate the issue to legal. Existing clients may ask for your representative details and lose confidence when the answer is vague.
There is also a practical reason to get this right. If an authority contacts your company from Europe, or a data subject exercises rights tied to EU processing, you need a designated, credible point of contact. That is not a clerical function. It needs legal judgment, response discipline, and a process that does not fall apart under pressure.
How to assess your exposure quickly
Start with your actual facts, not your assumptions. Where are your users located? Do you accept EU customers? Do you market into EU countries? Do you track behavior, use adtech, profile users, or process support and account data tied to EU residents?
Then look at your role. Are you the controller deciding why and how data is used, or a processor handling it for clients? Either role can trigger Article 27 if you are outside the EU and within GDPR scope.
Next, test the exemption honestly. If your EU-facing processing is recurring, part of normal operations, or remotely sensitive, do not force a weak “occasional processing” argument just because it feels cheaper in the short term.
If the analysis points to Article 27, appoint a representative before the issue appears in a deal cycle or an inquiry. A lawyer-led service like rep4eu gives non-EU companies something a basic forwarding address does not - actual legal response capability when questions arrive.
What a compliant setup should include
A proper Article 27 setup should result in a formal written designation, accurate privacy notice disclosures, and a representative that can actually receive and handle authority and data subject communications. If your provider cannot do more than forward messages, you are buying optics, not much protection.
That distinction matters because regulators, counterparties, and privacy-conscious customers all care about the same thing: whether someone competent stands between your company and preventable compliance failure.
If your business reaches into the EU, do not wait for a complaint, a procurement block, or a regulatory letter to force the question. The better time to answer when is article 27 required is before someone else answers it for you.