If your organisation processes personal data of individuals in the European Union or the UK but has no physical presence there, Article 27 of the GDPR almost certainly applies to you. This article breaks down exactly who needs an Article 27 representative, what that representative does, and how to get compliant before regulators come knocking.

What is Article 27 and who actually needs a representative?

Article 27 of both the EU GDPR (Regulation (EU) 2016/679, in force since 25 May 2018) and the UK GDPR (retained in UK law after Brexit on 31 January 2020) creates a clear obligation: if you are a controller or processor based outside those jurisdictions but your processing activities reach individuals there, you must appoint a local representative. The rule exists because GDPR requires organizations to protect personal data, and regulators need someone on the ground to hold accountable.

This duty is triggered when an organisation offers goods or services to, or monitors the behaviour of, individuals in EU member states or the UK-even if the organisation has no office, employees, or legal entity in those areas. GDPR applies to all organizations processing EU residents’ data, regardless of where the company is headquartered. A US e-commerce platform shipping products to Germany, an Indian call centre handling UK customer records, or a Brazilian fintech app tracking European users all fall squarely within scope.

Failing to appoint a representative where required is not a minor administrative oversight. It can lead to regulatory inquiry, enforcement action, and fines that scale with global turnover. Regulators tend to treat the absence of representation as a red flag, signalling broader compliance failures.

Data Privacy Services (trading name of Data Privacy and Data Security Services Limited) provides both EU and UK representation services under Article 27. If you need to appoint a representative, visit the UK and EU Representation Service page to request a free initial assessment.

Legal background: Article 27 in the UK GDPR and EU GDPR

Understanding the legal framework behind Article 27 is essential before making any compliance decisions. Here is how the law works across both jurisdictions.

• EU GDPR (Article 27): The regulation requires non-EU controllers and processors to designate a representative in one of the EU member states where data subjects are located. The representative serves as a local point of contact for supervisory authorities and data subjects, ensuring that the organisation remains reachable under EU law. This provision was formed as part of the broader accountability framework within the GDPR.

• UK GDPR (Article 27): After Great Britain left the European Union under the European Union (Withdrawal) Act 2018-with exit on 31 January 2020 and the end of the transition period on 31 December 2020-the UK retained its own version of the GDPR. The ICO’s guidance on data protection after transition confirms that Article 27 UK GDPR creates a separate, parallel obligation. Organisations targeting individuals in the UK must appoint a UK-based representative.

• Dual representation: Organisations could now need both an EU representative and a UK representative, depending on where they target or monitor data subjects. Representation in one jurisdiction does not automatically satisfy requirements in the other.

• Enforcement bodies: The Information Commissioner’s Office (ICO) enforces the UK GDPR, while national data protection authorities across the EU-such as CNIL in France or the Garante in Italy-handle enforcement in their respective country. These commissioners cooperate through the European Data Protection Board (EDPB) on cross-border matters.

• Relationship to other duties: Article 27 sits alongside, but is distinct from, other governance obligations. Organizations must appoint a Data Protection Officer if necessary under Article 37, and a Data Protection Officer (DPO) ensures compliance with data protection laws. However, the DPO role and the representative role serve different functions and should not be conflated.

When does Article 27 apply? – Scope and exemptions

The conditions that trigger the need for an Article 27 representative are straightforward in principle, though the details matter. Here is how to assess whether your organisation is caught.

Conditions for needing an EU representative:

• Your organisation is established outside the European Union

• It offers goods or services-paid or free-to individuals in one or more EU member states

• Or it monitors the behaviour of individuals in the EU, for example through tracking, profiling, or online advertising

Conditions for needing a UK representative:

• Your organisation has no establishment in the UK

• It offers goods or services to, or monitors, individuals in the UK

• This triggers Article 27 UK GDPR on the same basis

Concrete examples:

• A US SaaS provider selling subscriptions to small businesses in France and the Netherlands

• An Indian tech support centre processing personal data of UK customers without having a UK branch

• An Australian mobile app conducting behavioural profiling of EU users for targeted advertising

In each case, the organisation has no local presence but is clearly directing activity toward individuals in those jurisdictions. Even providing a website in the local language, accepting local currency, or running targeted ads can be enough to bring your processing within scope.

Exemptions under Article 27(2):

The exemptions are narrow and all three conditions must be met simultaneously:

1. Processing is occasional-not regular, systematic, or part of normal business operations

2. Processing does not involve large-scale handling of special category data (health, race, religion, biometrics) or criminal offence data

3. Processing is unlikely to result in risk to the rights and freedoms of individuals

Regulators interpret “occasional” tightly. Most digital business processing fails this test. For the first time considering whether an exemption applies, organisations should not assume low volume sales to EU or UK residents remove the obligation. Conducting risk assessments is essential for GDPR compliance in this context, and risk assessments identify potential threats to data security that may push processing beyond the exemption threshold.

If you are unsure whether Article 27 applies to your operations, a compliance review or gap analysis is the safest starting point.

Role and responsibilities of the Article 27 representative

Once appointed, the Article 27 representative takes on a defined set of operational responsibilities. The role is called upon to bridge the gap between your organisation-wherever it sits in the world-and the supervisory authorities and data subjects in the EU or UK.

Here is what the representative is expected to do on a day-to-day basis:

• Point of contact for authorities and data subjects: The representative acts as the main contact within the European Union or UK for supervisory authorities and for individuals exercising their rights. Individuals have the right to access their personal data under GDPR, and the representative must be able to receive and forward those requests efficiently.

• Maintain records of processing activities: Under Article 30, the representative must maintain-and make available to regulators upon request-the records of processing activities (RoPA) on behalf of the non-EU or non-UK controller or processor. This includes categories of data, recipients, transfers, retention periods, and security measures.

• Written mandate: The representative must be mandated in writing to be addressed by regulators and data subjects on all issues related to processing. This mandate defines the scope of authority, communication channels, and reporting lines.

• Distinct from the DPO: The Article 27 representative does not replace the Data Protection Officer. DPOs are responsible for monitoring data processing activities and provide guidance on data protection impact assessments. DPOs act as a point of contact for data subjects and authorities within the organisation’s governance structure. Some organisations will need both a representative and a DPO, depending on processing type and scale.

• Incident coordination: GDPR compliance includes reporting data breaches within 72 hours. The representative may assist with notification to authorities and communication with data subjects where a breach affects EU or UK residents, though legal responsibility for breach notification remains with the controller or processor.

• Transparency requirements: The representative must be clearly named in privacy notices under Articles 13 and 14, with contact details accessible to data subjects in the relevant jurisdictions.

Risks of non-compliance and recent enforcement trends

Failing to appoint an Article 27 representative when required is a breach of law in itself. But the practical consequences extend well beyond a single infringement.

• Standalone violation: The absence of a designated representative can be cited as an aggravating factor in wider enforcement cases. Regulators view it as evidence that an organisation has not taken its governance obligations seriously, which can influence the severity of sanctions across other areas of non-compliance.

• Enforcement activity against non-EU companies: Supervisory authorities in EU member states have investigated non-EU companies-particularly online platforms, apps, and ad-tech firms-and criticised the absence of a designated EU representative. The CMS GDPR Enforcement Tracker records over 2,685 GDPR fines totalling more than €6.1 billion since enforcement began. While many cases involve other articles, the absence of representation is frequently flagged during investigations of controllers outside the EU and UK.

• Potential sanctions: GDPR administrative fines for Article 27 non-compliance can reach up to €10 million or 2% of global annual turnover under the EU GDPR, whichever is higher. Comparable penalty levels apply under the UK GDPR, enforced by the ICO.

• Practical consequences beyond fines: Without a representative, organisations face difficulty engaging with regulators, increased scrutiny of cross-border transfers, and reputational damage when non-compliance is made public. Contract negotiations and procurement processes increasingly include due diligence on GDPR governance, and gaps here can disqualify organisations from trade opportunities.

• Proactive recommendations: Regular risk assessments help mitigate data breach impacts. Risk assessments should be conducted annually or after significant changes to processing activities. Effective risk assessments involve identifying vulnerabilities and threats across the compliance landscape. We also know that over 90% of data breaches involve human error, making governance and awareness measures critical alongside technical controls. Organisations should consider conducting a free GDPR compliance audit to identify gaps, including Article 27, and document representation decisions for audit and accountability purposes.

Article 27 in the wider EU institutional context

Article 27 does not exist in isolation. It is part of a broader regulatory architecture built on democratic accountability and cross-border cooperation.

The GDPR was adopted through the ordinary legislative procedure, involving both the European Parliament-directly elected by citizens of the member states since 1979-and the Council, with the European Commission holding the legislative initiative. The president of the commission at the date of adoption oversaw the proposal that would reshape data protection law across the continent, and the legislature worked to ensure the regulation balanced innovation with fundamental rights. This process of democracy in action gave the GDPR its legitimacy and reach.

The parliament elected in 2019, representing a diverse electorate across all EU member states, has continued to scrutinise GDPR implementation and cross-border enforcement. Members of the parliament have raised concerns about whether non-EU organisations are meeting their obligations, including Article 27 representation. Much like how elected mps in the UK house of commons conduct constituency work and respond to issues raised by the population, MEPs engage with groups across their constituencies to ensure policies deliver results for society. Government ministers sitting in the Council also influence the direction of enforcement priorities, ensuring that rule of law in data protection remains focused and effective.

Article 27 helps ensure that regulators within the European Union can exercise effective supervision over foreign companies whose digital services reach EU residents, strengthening individual rights across borders. Without a local representative, supervisory authorities lack the jurisdictional foothold to bring enforcement action efficiently-a matter of justice and accountability in an increasingly connected world.

The UK, while no longer part of the EU since january 2020, has retained a similar model under the UK GDPR. This approach maintains high data protection standards across the united kingdom and supports continued data flows with the EU. Data protection consultancy helps organizations comply with regulations in both jurisdictions, and data protection consultancy services are available for both private and public sectors navigating these parallel regimes. Research from the EDPB, including Guidelines 03/2018 on territorial scope, provides further analysis of how these obligations should be interpreted and applied. The march toward stronger cross-border enforcement shows no sign of slowing, and compared to earlier years, regulators are now better equipped and more willing to take action against non-compliant organisations. These events underscore the importance of proactive compliance rather than reactive firefighting-a black and white matter for any organisation serious about operating in the EU or UK.

How Data Privacy Services supports Article 27 compliance

Data Privacy Services is a UK and EU-based consultancy specialising in GDPR, information security, and ISO 27001. The firm provides both EU and UK representative services under Article 27, helping organisations meet their legal obligations without the overhead of establishing a local entity.

Core elements of the representation service:

• Acting as the official contact for European and UK regulators, including the ICO and national supervisory authorities

• Handling and documenting data subject requests, including access, erasure, and rectification requests through established DSAR management workflows

• Maintaining records of processing activities on behalf of the controller or processor

• Supporting incident response and breach notification where EU or UK data subjects are affected

Complementary offerings:

Building a comprehensive compliance programme often means combining representation with other services. DPO services can be outsourced instead of hiring full-time staff, and organisations can outsource data protection leadership through consultancy services. Data Privacy Services offers:

• DPO as a Service for organisations needing an in-house-equivalent DPO without the permanent headcount

• CISO as a Service-CISO-as-a-Service provides outsourced cybersecurity leadership, and organisations can access CISO expertise without full-time hiring. CISO-as-a-Service helps organizations comply with data protection laws and is suitable for small to large enterprises

• GDPR audits and gap analysis

• ISO 27001 consultancy

• Data protection training for staff at all levels

Consultants provide GDPR auditing and information security services with hands-on experience of regulators’ expectations. Consultancies offer training and support for data protection compliance, and the team can help align Article 27 arrangements with wider compliance programmes in both the private and public sectors.

Ready to appoint a representative? Visit the UK and EU Representation Service page to request a free initial assessment or discuss how Data Privacy Services can act as your EU and/or UK representative.

Practical steps to appoint an Article 27 representative

Here is a step-by-step checklist for organisations ready to act:

1. Confirm whether Article 27 applies

Map where your customers and users are located. Determine how you target the EU and UK-through marketing, language options, currency acceptance, or behavioural monitoring. Assess whether any exemptions genuinely apply by reviewing the nature, frequency, and scale of your processing. Do not assume that low-volume activity automatically removes the obligation.

2. Identify the right jurisdiction for your representative

For the EU representative, select a member state where the majority of your EU data subjects are located or where key processing takes place. For UK representation, the representative must be established in the UK. These are separate appointments.

3. Formalise the arrangement

Draft and sign a written mandate or service contract with the representative. This document should clearly define responsibilities, communication channels, reporting lines, escalation procedures, and confidentiality and security requirements.

4. Update documentation and procedures

Update your privacy notices, records of processing, and internal procedures to reference the appointed EU and/or UK representative. Contact details must be accessible to data subjects in the relevant jurisdictions. Security audits assess an organization’s data protection measures, and regular security audits help identify vulnerabilities in systems. Security audits can be conducted annually or biannually, and ISO 27001 is a standard for conducting security audits. Security audits often include penetration testing and risk assessments-all of which should be reviewed alongside the appointment process.

5. Review ongoing

Conduct a review at least annually, or when entering new EU member states or the UK market, to ensure the representation model still matches business operations and regulatory expectations. Changes in processing scope, risk level, or legal environment should trigger a reassessment.

Integrating Article 27 with wider GDPR, security and governance work

Appointing an Article 27 representative is only one part of GDPR compliance. To be effective, it should be aligned with a broader set of measures that together form a resilient governance framework.

• Lawful basis and DPIAs: Representation works best when embedded within a programme that includes lawful basis assessments, data protection impact assessments, and documented decision-making. A list of processing activities, regularly updated, supports both the representative and the organisation’s own accountability obligations.

• ISO 27001 management: ISO 27001 certification is an international standard for information security management. Organizations must implement an Information Security Management System to achieve ISO 27001 certification. ISO 27001 certification requires a risk assessment to identify security threats, and the certification process includes an external audit by a certification body. ISO 27001 certification is valid for three years before renewal is required. Aligning your representation programme with ISO 27001 controls demonstrates a mature, risk-based approach to regulators and clients alike.

• Training and awareness: Cybersecurity training reduces the risk of data breaches. Effective training can improve employee awareness by 70%, and regular training sessions are recommended every six months. Phishing simulations are a common training method used to test and reinforce staff behaviour. These areas of investment complement the governance layer that representation provides.

• Bundled services: Organisations often bundle representation with DPO as a Service, ISO 27001-aligned security audits, and ongoing advisory support to maintain a consistent approach across jurisdictions. This brings efficiency and ensures that each compliance workstream reinforces the others, rather than operating in silos.

• Opportunity, not just obligation: Treat representation as an opportunity to strengthen oversight of your EU and UK data processing. Organisations that embed representation into their broader compliance management programme are better positioned to respond to regulatory events, demonstrate accountability, and build trust with customers and partners.

If your organisation processes data of EU or UK residents and you are unsure about your obligations, contact Data Privacy Services for a combined review of Article 27 representation, data protection compliance, and information security posture. A proactive approach today avoids costly remediation tomorrow.