If your US company has no office in Europe but sells to people in France, runs ads in Germany, or tracks user behavior across the EU, the question is not academic. Who needs GDPR Article 27 is a live compliance issue, and regulators, customers, and procurement teams increasingly expect you to have a clear answer.
For many non-EU businesses, Article 27 is the GDPR rule that gets missed until a sales deal stalls, a privacy questionnaire lands in legal, or a regulator notices that your privacy notice names no EU representative. That gap is visible. And visible gaps create leverage against you.
Who needs GDPR Article 27 under the GDPR?
Article 27 applies to many companies outside the European Union that process personal data of people in the EU while lacking an EU establishment. In plain terms, if you are based in the US or another non-EU country and you target, serve, or monitor individuals in the EU, you may need to appoint an EU representative.
The rule connects directly to Article 3(2) of the GDPR. That is the extraterritorial scope provision. If your business offers goods or services to people in the EU, even for free, or monitors their behavior as far as that behavior takes place in the EU, GDPR can apply to you. When it does, Article 27 often follows.
This is where many teams get it wrong. They assume Article 27 only matters for large enterprises, ad tech companies, or businesses with a physical footprint in Europe. It does not. A SaaS company in Texas, a Shopify brand in California, or a mobile app in New York can all trigger it without ever opening an EU office.
The practical test: when Article 27 is usually required
A non-EU company usually needs an EU representative when three facts are true. First, it does not have an establishment in the EU. Second, GDPR applies because the company is offering goods or services to people in the EU or monitoring their behavior there. Third, no narrow exemption removes the requirement.
That means Article 27 often applies to companies such as US ecommerce stores shipping to EU countries, SaaS vendors selling subscriptions to EU users, B2B software companies onboarding EU employees or customer contacts, apps collecting analytics or location data from EU users, and marketing teams running behavior-based tracking or retargeting in the EU.
Intent matters. If your website is clearly directed at EU markets through EU shipping, EU customer support, local language targeting, pricing for EU buyers, or campaigns aimed at EU residents, regulators can view that as offering goods or services into the EU. Monitoring can be even broader. If you profile, track, analyze, or predict user behavior in the EU, especially for advertising or product analytics, that can be enough.
In business terms, if the EU is part of your growth strategy, Article 27 deserves attention.
Who does not need GDPR Article 27?
Not every non-EU business needs one. There are edge cases, and this is where legal nuance matters.
If you do not target people in the EU and do not monitor them, Article 27 may not apply at all because GDPR may not apply under Article 3(2). A US company with a purely domestic offering and no EU-facing activity is in a different category from a company actively pursuing EU users.
There is also a limited exemption under Article 27(2). You may not need an EU representative if your processing is occasional, does not include large-scale processing of special category data or criminal offense data, and is unlikely to result in a risk to individuals' rights and freedoms. That sounds comforting, but in practice many commercial businesses should be cautious before relying on it.
The exemption is narrow for a reason. "Occasional" does not fit well when you continuously collect customer data, run ongoing marketing campaigns, maintain user accounts, or process employee or lead data as part of normal operations. If EU personal data enters your systems regularly, your processing may not look occasional to a regulator.
This is why shortcut advice is dangerous. Founders often hear that small companies are exempt. That is not the test. The real question is what you do, who you target, how often you process EU personal data, and whether your processing creates meaningful privacy risk.
Common examples of businesses that need Article 27
A US ecommerce brand that ships to Italy and Spain almost certainly needs a serious review. So does a software company with EU trial users, a recruiting platform screening EU candidates, or a B2B vendor collecting contact details from EU-based customer employees.
Ad-supported apps are especially exposed. If you use SDKs, behavioral analytics, cookies, location tracking, device fingerprinting, or profiling for growth and retention, you may be monitoring behavior in the EU. That is a classic Article 3 trigger, and Article 27 can follow quickly.
Service providers are not automatically outside the rule either. If you are a non-EU processor handling EU personal data on behalf of clients while caught by the GDPR's territorial scope, Article 27 can still matter. The analysis changes depending on your role and facts, but processors should not assume this is only a controller issue.
Why this matters beyond legal theory
Article 27 is not just a box on a compliance checklist. It affects how your company appears to regulators, enterprise buyers, and privacy-savvy customers.
When a privacy notice names no EU representative despite obvious EU-facing activity, that gap is easy to spot. Procurement teams notice it. Diligence counsel notices it. Supervisory authorities can notice it too. Once noticed, it raises a broader question: if the company missed a basic visibility requirement, what else is not in place?
There is also an operational reason to get this right. An EU representative is meant to be a reachable point of contact for supervisory authorities and data subjects on GDPR matters. If your business receives a regulatory inquiry or a rights request tied to EU activity, you need more than a rented address that forwards emails into a crowded inbox.
That is where the quality of representation matters. A mailbox provider can create the appearance of compliance while leaving you exposed when something actually happens. A lawyer-led representative service can triage requests, respond credibly, and coordinate next steps before a manageable issue becomes a formal problem.
The mistakes companies make when deciding
The first mistake is assuming Article 27 only applies after major EU revenue appears. Revenue size is not the trigger. Market targeting and monitoring are.
The second is treating the issue as a privacy policy edit. Appointing a representative is not just adding a name and address to your notice. It requires a formal designation and a representative capable of handling authority and data subject contact in a meaningful way.
The third is overreading the exemption. Teams tell themselves their EU processing is occasional, while running ongoing analytics, CRM workflows, customer onboarding, and retention campaigns touching EU individuals every week. That argument can collapse fast under scrutiny.
The fourth is choosing the cheapest provider without asking what happens when a regulator writes in. If the answer is simple forwarding, you are buying an address, not representation.
How to assess whether you need Article 27
Start with your actual business behavior, not your assumptions. Ask whether you have any establishment in the EU. Then look at whether you offer goods or services to people in the EU or monitor their behavior there. Review your website targeting, shipping practices, onboarding flow, ad campaigns, analytics stack, app permissions, and sales pipeline.
Then look at volume and regularity. If EU personal data enters your systems as part of ongoing commercial activity, be skeptical of any claim that processing is merely occasional. Finally, assess whether you process sensitive data, children’s data, location data, behavioral profiles, or anything else that could increase risk to individuals.
If this review points toward Article 27, move quickly. The fix is usually straightforward, but delay creates unnecessary exposure. A proper provider should make onboarding simple while giving you documentation, publication-ready representative details, and real response capability if an authority or data subject reaches out.
For many US companies, this is exactly where rep4eu fits - as a lawyer-led EU representative service built for non-EU businesses that need more than a passive mailbox.
A clear rule of thumb for who needs GDPR Article 27
If your non-EU company intentionally does business with people in the EU or tracks their behavior, and you have no EU establishment, assume Article 27 is on the table until qualified review proves otherwise. That is the commercially sensible position.
Waiting for a complaint, deal friction, or regulator contact is the expensive way to learn the answer. The better approach is to treat Article 27 as part of market entry hygiene: if you want EU users, EU customers, or EU growth, put credible representation in place before the gap starts speaking for you.
The companies that handle this well are not the ones with the biggest legal teams. They are the ones that understand a simple point: when your business reaches into Europe, your compliance posture has to reach there too.