Skip to content

GDPR Representative / EU GDPR Article 27

Appoint an EU GDPR Representative under Article 27

For organisations outside the EU that offer goods or services to people in the EU or monitor their behaviour there, Article 27 may require a written appointment to an EU-established Representative.

Documented scope assessment, appointment, contact routes and ongoing correspondence process.

Do you need an EU Representative?

An EU Representative is generally relevant when all of the following are true: your organisation is a controller or processor outside the EU; it does not have a relevant EU establishment for the processing; and EU GDPR applies because you offer goods or services to people in the EU or monitor their behaviour in the EU.

The assessment is activity-specific. A non-EU company is not automatically subject to EU GDPR simply because someone in the EU can visit its website. Equally, the absence of an EU office does not prevent EU GDPR from applying where the organisation deliberately serves the market or monitors people there.

EU Representative assessment questions
Assessment questionWhy it matters
Is there an EU establishment connected with the processing?If there is, Article 27 may not be the correct route for that processing, although EU GDPR may still apply through the establishment.
Are goods or services offered to people in the EU?The analysis considers evidence of directing activity to people in the EU, not merely global accessibility.
Is behaviour in the EU monitored?Tracking, profiling or other observation may bring relevant processing into scope when behaviour takes place in the EU.
Does the narrow exemption apply?Occasional processing, sensitive/criminal data at scale and risk must be considered cumulatively. The conclusion should be documented.

What the EU Representative does

  • Acts under a written mandate for the processing covered by the appointment.
  • Provides an EU contact point for individuals and supervisory authorities.
  • Receives, logs and routes correspondence concerning the relevant processing.
  • Supports the availability of required processing records to supervisory authorities.
  • Cooperates with supervisory authorities in connection with the mandate.
  • Maintains an agreed escalation process with named contacts inside your organisation.

What the EU Representative does not do

  • It does not become the controller or processor.
  • It does not transfer your organisation's responsibility or liability under EU GDPR.
  • It is not automatically your Data Protection Officer.
  • It does not make the underlying processing lawful merely because a Representative has been appointed.
  • It does not replace the need for appropriate records, notices, contracts, rights processes or security measures.

What is included

  • Initial Article 3(2) and Article 27 assessment, including any claimed exemption.
  • Confirmation of the selected EU Member State and representative establishment.
  • Written mandate and appointment documentation.
  • Approved Representative contact wording for privacy notices and related transparency materials.
  • Dedicated correspondence route and agreed escalation contacts.
  • Onboarding review of relevant entities, markets, products, processing and existing records.
  • Correspondence log and evidence of handling under the agreed service scope.
  • Periodic review of the appointment when markets, structure or processing materially change.

Where should the Representative be established?

Article 27 requires the Representative to be established in a Member State where the relevant people are located. Where a significant proportion of affected people is in one Member State, the EDPB recommends that state as a good-practice choice. The correct location should therefore be selected from your actual EU markets, not chosen only for administrative convenience.

Appointed EU Representative

Representative:
Privacy Core Services Ltd (C 95774)
Establishment:
Malta (EU Member State)
Address:
124, 21st September Avenue, Naxxar NXR 1015, Malta
Contact:
privacy@privacycoreservices.com (monitored)

Appointment process

  1. Territorial assessment

    Review establishments, EU market activity, monitoring and the exemption criteria.

  2. Market and processing map

    Identify the Member States, products, entities and processing covered by the mandate.

  3. Representative selection

    Confirm the legally appropriate establishment and commercial arrangement.

  4. Written appointment

    Execute the mandate and document responsibilities, contacts, scope and escalation.

  5. Transparency update

    Add Representative contact details to privacy information and other required records.

  6. Operational test

    Confirm the intake route, internal owner, response process and evidence log.

Scope and pricing factors

The price should reflect the real operating load and risk rather than a logo or address-only service. The proposal should state the included entities and products, expected correspondence, data-subject population, processing risk, languages, record-support requirements and any wider advisory work.

Pricing factors
FactorWhy it changes scope
Entities and brandsEach legal entity and public-facing brand may require separate documentation, notices and internal contacts.
EU markets and languagesThe contact and escalation model must remain accessible to the people and authorities involved.
Processing sensitivity and scaleHigher-risk or complex processing generally requires deeper onboarding and more structured escalation.
Expected correspondenceThe commercial model should distinguish basic contact availability from active case handling and advisory support.
Record supportArticle 30 availability and record quality can require additional work beyond the representative mandate.

EU Representative vs DPO

EU Representative compared with a DPO
EU RepresentativeDPO
TriggerCertain non-EU organisations subject to EU GDPR under Article 3(2).Article 37 trigger or voluntary appointment.
PurposeEU contact point and mandated representative role.Independent advice, monitoring and supervisory-authority contact.
LocationEstablished in an eligible EU Member State.Must be accessible and appropriately positioned; not the Article 27 establishment by default.
AccountabilityDoes not take over controller/processor accountability.Does not take over management accountability.

Unsure how the roles differ in practice? Read the DPO vs GDPR Representative guide, or see Article 27 Explained for the legal detail.

Ready to confirm your EU position?

Complete the requirement assessment or send us your establishment, EU markets, products, monitoring activity, data categories and current privacy notice. We will identify whether appointment is likely to be required and what must be confirmed before go-live.

Need both EU and UK coverage? See the coordinated EU + UK Representative service.

Frequently asked questions

Which non-EU organisations need an EU GDPR Representative?

The requirement generally applies where a non-EU controller or processor has no relevant EU establishment but EU GDPR applies to processing connected with offering goods or services to people in the EU or monitoring their behaviour there, unless an exemption applies.

Does the exemption for occasional processing apply to us?

Possibly, but the test is cumulative and narrow. The processing must be occasional, must not involve large-scale processing of the specified sensitive or criminal-offence data, and must be unlikely to create risk to people. The reasoning should be recorded.

Which EU country should our Representative be based in?

The Representative must be established in a Member State where the relevant people are located. Your main EU markets and the distribution of affected people should be considered. The EDPB recommends the state with a significant proportion of affected people as a good-practice choice.

Is an EU Representative the same as a DPO?

No. The Representative is the local Article 27 contact for certain non-EU organisations. A DPO has separate advisory, monitoring and independence requirements. An organisation may need both.

Do we also need a UK Representative?

You may need a separate UK appointment if UK GDPR applies to relevant UK-facing or monitoring activities and there is no relevant UK establishment or exemption. The EU appointment does not cover the UK.

What must change in our privacy notice after appointment?

Where applicable, your privacy information should include the identity and contact details of the Representative. The wording should be consistent across the privacy notice, rights process, public contact channels and internal escalation procedure.

Reviewed by Zuzana Ruddock, Certified DPO and EU General Data Protection Regulation Practitioner (certified by the International Board for IT Governance Qualifications). Last reviewed: 11 July 2026. This page is general information, not legal advice.