Skip to content

Resources / Reference guide

GDPR Article 27 explained

Article 27 requires certain controllers and processors outside the EU or UK to appoint a local Representative in writing. The appointment supports regulatory and individual contact but does not transfer the organisation’s accountability.

What Article 27 is for

EU GDPR can apply to an organisation outside the EU where the relevant processing relates to offering goods or services to people in the EU or monitoring their behaviour in the EU. Article 27 creates a local representative requirement for many organisations caught by that extraterritorial rule.

The UK GDPR contains an analogous requirement for relevant organisations outside the UK. Because the EU and UK are separate legal territories, the tests and appointments should be completed separately.

The Article 27 decision sequence

  1. Identify the actor

    Identify the controller or processor and the processing activity being assessed.

  2. Check establishments

    Determine whether there is a relevant establishment in the EU or UK.

  3. Apply the territorial test

    Assess offering of goods or services and monitoring of behaviour in the territory.

  4. Assess the exemptions

    Consider the public-body and occasional low-risk exemptions.

  5. Appoint in writing

    If required, select an eligible establishment and execute a written mandate.

  6. Update your information

    Update privacy information, records, public contacts and internal escalation procedures.

What counts as offering goods or services?

The assessment looks for an intention to serve people in the territory. Availability of a website from the EU or UK is not enough on its own. Relevant indicators can include market-specific language or currency, delivery or service availability, local campaigns, domain or contact choices, and references to users or customers in the territory. The indicators must be considered together and in context.

What counts as monitoring behaviour?

Monitoring can include tracking or profiling people to analyse or predict behaviour, preferences, interests, reliability, location, movements or other characteristics. The territorial test focuses on behaviour taking place in the relevant territory. The analysis should identify the actual technologies and purposes rather than treating all analytics as automatically equivalent.

The exemption is cumulative

For the EU, the occasional-processing exemption is available only where the processing is occasional, does not include large-scale processing of special-category or criminal-conviction/offence data, and is unlikely to create risk to people after considering its nature, context, scope and purposes. These conditions operate together — failing one means the exemption is not available.

The UK representative exemption should be assessed against the UK wording and ICO guidance. The decision should be recorded and reviewed when the business or processing changes.

Good practice

A one-line statement that processing is “low risk” is not a defensible exemption assessment. Record frequency, scale, data categories, purpose, affected people, risks and reviewer.

What the Representative must be able to do

  • Be addressed on relevant processing issues by individuals and supervisory authorities.
  • Operate under the controller or processor's written mandate.
  • Provide an effective and accessible local contact route.
  • Support cooperation with the relevant supervisory authority.
  • Make relevant records available where the law requires the controller, processor or Representative to provide them.

Where the EU Representative must be established

The EU Representative must be established in one of the Member States where the affected people are located. Where a significant proportion is in a particular Member State, the EDPB recommends locating the Representative there as good practice. A representative presence does not create an EU establishment for the controller or processor and does not create access to the GDPR one-stop-shop mechanism by itself.

Information that usually needs updating

  • Privacy notices and other Articles 13/14 information.
  • Rights-request and complaints contact routes.
  • Article 30 records and responsibility maps.
  • Incident, regulator and legal-correspondence procedures.
  • Public website, app or product contact information where applicable.
  • Vendor and client documentation that asks for the Representative contact.

Common mistakes

  • Assuming a globally accessible website means EU or UK targeting without analysing the actual indicators.
  • Relying on the occasional-processing exemption without applying all conditions.
  • Using one appointment or address for both EU and UK coverage.
  • Describing the Representative as the organisation's DPO.
  • Publishing a contact address without a documented mandate and functioning escalation process.
  • Failing to update privacy information or internal owners after appointment.
  • Treating appointment as a substitute for the underlying GDPR programme.

Apply it to your organisation

The assessment gives you a documented provisional answer for both territories. For appointment support, see the EU, UK or combined service pages.

Primary sources

  • EU GDPR consolidated text, Articles 3 and 27 (EUR-Lex).
  • EDPB Guidelines 3/2018 on the territorial scope of the GDPR.
  • ICO guidance: Do we need a UK representative?
  • UK GDPR Article 27 text (legislation.gov.uk).
Reviewed by Zuzana Ruddock, Certified DPO and EU General Data Protection Regulation Practitioner (certified by the International Board for IT Governance Qualifications). Last reviewed: 11 July 2026. This page is general information, not legal advice.