Skip to content

GDPR Representative / EU and UK Article 27 coverage

Coordinated EU and UK GDPR Representative service

Two jurisdiction-specific legal appointments, one coordinated onboarding and reporting process for organisations operating outside both territories.

Separate EU and UK mandates and contact routes, managed through one practical operating model.

Who needs both appointments?

A combined service is relevant where an organisation is outside both the EU and UK, has no relevant establishment in either territory, and independently meets the territorial trigger for processing connected with people in each market.

The answer may differ by product, entity or processing activity. An organisation could need EU representation but not UK representation, or the reverse. The assessment must therefore reach two conclusions rather than treating EU and UK coverage as one test. If only one market applies, see the EU-only service or the UK-only service.

One service, two legal appointments

The commercial experience can be coordinated, but the legal structure remains separate. The EU Representative must satisfy the EU establishment rule. The UK Representative must be established in the UK. Each operates under its own mandate and contact details.

EU appointment, UK appointment and the coordinated layer
ElementEU appointmentUK appointmentCoordinated layer
Legal basisEU GDPR Articles 3(2) and 27UK GDPR territorial scope and Article 27One intake and governance process
EstablishmentEligible EU Member StateUnited KingdomCentral client contacts and reporting
Authority contactRelevant EU supervisory authority or authoritiesInformation CommissionerShared escalation standards
Public disclosureEU Representative identity/contactUK Representative identity/contactConsistent notice-update project
MandateSeparate EU appointmentSeparate UK appointmentCoordinated renewal and review

What is included

  • Separate EU and UK territorial-scope assessments.
  • Documented conclusions on both representative requirements and exemptions.
  • EU and UK entity selection and appointment documentation.
  • One onboarding inventory of entities, products, markets, processing and internal contacts.
  • Jurisdiction-specific privacy-notice wording and public contact details.
  • Coordinated correspondence logging and escalation, with jurisdiction-specific handling where required.
  • Combined client reporting that preserves the distinction between EU and UK matters.
  • Periodic review when markets, establishments or processing change.

Appointed EU Representative

Representative:
Privacy Core Services Ltd (C 95774)
Establishment:
Malta (EU Member State)
Address:
124, 21st September Avenue, Naxxar NXR 1015, Malta
Contact:
privacy@privacycoreservices.com (monitored)

Appointed UK Representative

Representative:
PCS UK Ltd
Establishment:
United Kingdom
Address:
111 City Road, London, EC1V 2NX, United Kingdom
Contact:
privacy@mypcsuk.com (monitored)

How onboarding works

  1. Single intake

    Gather the entity structure, establishments, markets, products, monitoring activity and current privacy information once.

  2. Dual assessment

    Apply the EU and UK tests separately and document any exemption reasoning.

  3. Entity confirmation

    Select the EU establishment and the UK-established Representative arrangement.

  4. Separate mandates

    Execute jurisdiction-specific appointments, scopes and contact instructions.

  5. Notice and record update

    Add both contacts where applicable and align rights and escalation procedures.

  6. Operational launch

    Test each route and provide a combined client-facing governance view.

When representation is only one part of the answer

Representative appointments address local contact requirements. They do not complete the wider GDPR programme. Organisations entering both markets commonly also need updated privacy notices, Article 30 records, rights-request workflows, vendor contracts, transfer assessments, DPIAs, security evidence and possibly a DPO. See GDPR services for the wider programme, or the DPO vs GDPR Representative guide for role decisions.

Scope and pricing

The combined proposal should show what is saved through coordinated intake and reporting, while keeping each legal appointment transparent. Pricing factors include the entities covered, EU Member State, UK arrangement, market footprint, processing risk, expected correspondence, languages, record readiness and wider advisory support.

Ready to coordinate both markets?

Send us your legal structure, establishments, EU and UK market activity, monitoring, processing and existing privacy information. We will confirm whether both appointments appear necessary and identify any dependencies before issuing a proposal.

Frequently asked questions

Can one legal appointment cover both the EU and UK?

No. The service can be coordinated, but the EU and UK require separate appointments and establishments. Each contact must be accurately disclosed and operated under the relevant regime.

Do we need both services if we only have occasional UK customers?

Possibly not, but the conclusion depends on the UK territorial test and the narrow exemption. The assessment should consider whether the activity is directed at people in the UK, whether behaviour is monitored, the frequency and risk of processing, and any UK establishment.

Which EU country will the EU Representative be located in?

The EU Representative must be established in a Member State where relevant data subjects are located. The chosen state should reflect your actual markets and affected population, and must be confirmed before appointment.

Can Privacy Core also act as our DPO?

That requires a separate DPO-trigger and conflict assessment. The two roles have different duties. Where the same provider is considered, independence, instructions, decision-making and escalation must be reviewed and documented.

What happens if we stop targeting one market?

The organisation should review the relevant processing, customers, monitoring, residual obligations and ongoing correspondence before ending an appointment. Stopping new sales does not necessarily end all processing connected with people in that market.

Can we add Switzerland or another jurisdiction later?

Additional jurisdictions require their own legal and service assessment. They should not be described as extensions of the EU or UK Article 27 appointment unless the relevant law and service arrangement support that conclusion.

Reviewed by Zuzana Ruddock, Certified DPO and EU General Data Protection Regulation Practitioner (certified by the International Board for IT Governance Qualifications). Last reviewed: 11 July 2026. This page is general information, not legal advice.