GDPR Representative / EU and UK Article 27 coverage
Coordinated EU and UK GDPR Representative service
Two jurisdiction-specific legal appointments, one coordinated onboarding and reporting process for organisations operating outside both territories.
Separate EU and UK mandates and contact routes, managed through one practical operating model.
Who needs both appointments?
A combined service is relevant where an organisation is outside both the EU and UK, has no relevant establishment in either territory, and independently meets the territorial trigger for processing connected with people in each market.
The answer may differ by product, entity or processing activity. An organisation could need EU representation but not UK representation, or the reverse. The assessment must therefore reach two conclusions rather than treating EU and UK coverage as one test. If only one market applies, see the EU-only service or the UK-only service.
One service, two legal appointments
The commercial experience can be coordinated, but the legal structure remains separate. The EU Representative must satisfy the EU establishment rule. The UK Representative must be established in the UK. Each operates under its own mandate and contact details.
| Element | EU appointment | UK appointment | Coordinated layer |
|---|---|---|---|
| Legal basis | EU GDPR Articles 3(2) and 27 | UK GDPR territorial scope and Article 27 | One intake and governance process |
| Establishment | Eligible EU Member State | United Kingdom | Central client contacts and reporting |
| Authority contact | Relevant EU supervisory authority or authorities | Information Commissioner | Shared escalation standards |
| Public disclosure | EU Representative identity/contact | UK Representative identity/contact | Consistent notice-update project |
| Mandate | Separate EU appointment | Separate UK appointment | Coordinated renewal and review |
What is included
- Separate EU and UK territorial-scope assessments.
- Documented conclusions on both representative requirements and exemptions.
- EU and UK entity selection and appointment documentation.
- One onboarding inventory of entities, products, markets, processing and internal contacts.
- Jurisdiction-specific privacy-notice wording and public contact details.
- Coordinated correspondence logging and escalation, with jurisdiction-specific handling where required.
- Combined client reporting that preserves the distinction between EU and UK matters.
- Periodic review when markets, establishments or processing change.
Appointed EU Representative
- Representative:
- Privacy Core Services Ltd (C 95774)
- Establishment:
- Malta (EU Member State)
- Address:
- 124, 21st September Avenue, Naxxar NXR 1015, Malta
- Contact:
- privacy@privacycoreservices.com (monitored)
Appointed UK Representative
- Representative:
- PCS UK Ltd
- Establishment:
- United Kingdom
- Address:
- 111 City Road, London, EC1V 2NX, United Kingdom
- Contact:
- privacy@mypcsuk.com (monitored)
How onboarding works
Single intake
Gather the entity structure, establishments, markets, products, monitoring activity and current privacy information once.
Dual assessment
Apply the EU and UK tests separately and document any exemption reasoning.
Entity confirmation
Select the EU establishment and the UK-established Representative arrangement.
Separate mandates
Execute jurisdiction-specific appointments, scopes and contact instructions.
Notice and record update
Add both contacts where applicable and align rights and escalation procedures.
Operational launch
Test each route and provide a combined client-facing governance view.
When representation is only one part of the answer
Representative appointments address local contact requirements. They do not complete the wider GDPR programme. Organisations entering both markets commonly also need updated privacy notices, Article 30 records, rights-request workflows, vendor contracts, transfer assessments, DPIAs, security evidence and possibly a DPO. See GDPR services for the wider programme, or the DPO vs GDPR Representative guide for role decisions.
Scope and pricing
The combined proposal should show what is saved through coordinated intake and reporting, while keeping each legal appointment transparent. Pricing factors include the entities covered, EU Member State, UK arrangement, market footprint, processing risk, expected correspondence, languages, record readiness and wider advisory support.
Ready to coordinate both markets?
Send us your legal structure, establishments, EU and UK market activity, monitoring, processing and existing privacy information. We will confirm whether both appointments appear necessary and identify any dependencies before issuing a proposal.
Frequently asked questions
Can one legal appointment cover both the EU and UK?
No. The service can be coordinated, but the EU and UK require separate appointments and establishments. Each contact must be accurately disclosed and operated under the relevant regime.
Do we need both services if we only have occasional UK customers?
Possibly not, but the conclusion depends on the UK territorial test and the narrow exemption. The assessment should consider whether the activity is directed at people in the UK, whether behaviour is monitored, the frequency and risk of processing, and any UK establishment.
Which EU country will the EU Representative be located in?
The EU Representative must be established in a Member State where relevant data subjects are located. The chosen state should reflect your actual markets and affected population, and must be confirmed before appointment.
Can Privacy Core also act as our DPO?
That requires a separate DPO-trigger and conflict assessment. The two roles have different duties. Where the same provider is considered, independence, instructions, decision-making and escalation must be reviewed and documented.
What happens if we stop targeting one market?
The organisation should review the relevant processing, customers, monitoring, residual obligations and ongoing correspondence before ending an appointment. Stopping new sales does not necessarily end all processing connected with people in that market.
Can we add Switzerland or another jurisdiction later?
Additional jurisdictions require their own legal and service assessment. They should not be described as extensions of the EU or UK Article 27 appointment unless the relevant law and service arrangement support that conclusion.