Insights / EU Article 27 decision guide
Do I need an EU GDPR Representative?
You are likely to need an EU Representative when your organisation is outside the EU, has no relevant EU establishment and EU GDPR applies because you offer goods or services to people in the EU or monitor their behaviour there — unless a narrow exemption applies.
This guide provides a structured starting point, not a substitute for legal advice on a complex fact pattern.
Start with four questions
Which entity and processing are you assessing?
Group structures can produce different answers for different entities. Identify who determines the purposes and means, who processes on behalf of others, and which entity operates the product or monitoring activity. Do not assume that one EU group company automatically acts as the establishment or Representative for every non-EU entity.
Do you have an EU establishment?
An establishment is assessed functionally, not only by company registration. A stable arrangement through which activities are effectively carried out may be relevant, and the processing must be examined in the context of the establishment's activities. An appointed Representative does not itself create an EU establishment.
Are you offering goods or services, or monitoring behaviour?
Look for actual EU market direction and actual monitoring activity: EU-specific customers, campaigns, shipping, currencies, languages, terms, support arrangements, tracking, profiling and behavioural analysis. No single indicator is always decisive.
Can you rely on the exemption?
The exemption is not simply 'small business' or 'few EU customers'. The processing must be occasional, must not include large-scale processing of specified sensitive or criminal data, and must be unlikely to result in risk to people. Public authorities and bodies are separately outside the appointment requirement.
Illustrative outcomes
| Situation | Likely next step |
|---|---|
| US SaaS platform actively marketing to EU businesses and profiling EU users | EU GDPR scope and Article 27 are likely to require detailed assessment; appointment may be required. |
| UK retailer regularly shipping to several EU countries | EU targeting indicators are present; assess establishment and exemption, then appointment. |
| Australian consultant completes a rare, low-risk project for one EU company | The exemption may be relevant, but frequency, data, risk and future activity must be documented. |
| Canadian company has an EU branch involved in the relevant processing | Article 27 may not be the correct mechanism for that processing; assess EU establishment scope. |
| Global website with no EU marketing, shipping, users or monitoring | Mere accessibility is not enough by itself; record the facts and revisit if activity changes. |
Every outcome above is illustrative — it shows the likely next assessment step, not a legal determination for your organisation.
If the answer is yes
- Select an eligible EU Member State based on where the relevant people are located.
- Appoint the Representative in writing.
- Define the entities, products and processing covered by the mandate.
- Update privacy information with the Representative identity and contact details.
- Make sure Article 30 records and internal contacts are ready for the operating process.
- Test the correspondence and escalation route.
If the answer is no or uncertain
Keep a decision record. State the entities and processing assessed, the establishment analysis, targeting or monitoring facts, exemption reasoning, reviewer and triggers for reassessment. An uncertain result should be escalated rather than forced into a yes/no answer.
For the legal detail behind each step, see Article 27 Explained or the DPO vs Representative comparison.
Get a documented answer
The assessment applies these questions to your facts and produces a provisional, documented result before any contact details are requested. Also serving the UK? See the UK guide.