Do I Need a GDPR Representative? The 5-Minute Answer

Half the people who ask "do I need a GDPR representative?" do not need one and are about to waste money. The other half needed one a year ago, have been technically in breach the whole time, and have no idea. The annoying part is that telling the two apart takes about five minutes, but almost nobody spends them, because the question sounds like it requires a lawyer and a long afternoon.

It does not. The rule that decides this lives in one article of the GDPR, and it turns on three plain facts about your business. No revenue threshold, no headcount test, no industry list. Just three yes-or-no questions and a small exemption at the end. Let us walk through them.

First, what a GDPR representative actually is

Before the decision tree, clear up what we are talking about, because the term gets confused with two other roles constantly.

An EU representative under Article 27 is a person or company, physically established inside the European Union, that acts as your local point of contact. When a regulator in Ireland or a customer in Spain wants to reach you about how you handle their data, they go through your representative. The representative receives the letter, holds a copy of your records, and is the address that European law can actually deliver mail to. It exists for one reason: you are based outside the EU, and the Union does not want to chase a company across an ocean to enforce its own law.

That is a different job from a Data Protection Officer. A DPO advises your company on compliance and monitors it from the inside. You might need a DPO because of the kind of data you process, whether you are in Texas or Tallinn. The representative is about where you are, not what you do. Mixing them up is the single most common mistake we see, so if you want the longer version we wrote a whole piece on who does what.

With that straight, here are the three questions.

Question 1: Is your company established in the EU?

"Established" means a real, stable presence: a branch, an office, a subsidiary, staff on the ground. Not a server in Frankfurt, not a customer in Paris, not a .de domain.

If the answer is yes, you can stop reading. A company with an EU establishment falls under the GDPR through Article 3(1) and does not need an Article 27 representative, because it already has a presence the law can reach. Your compliance work is real, but this particular requirement is not yours.

If the answer is no, and for most US, UK and other non-EU companies it is no, keep going. The representative requirement only exists for companies without an establishment in the Union, so you have just confirmed you are in scope to even ask the question.

Question 2: Do you offer goods or services to people in the EU, or monitor their behaviour?

This is the heart of it. Article 3(2) extends the GDPR to companies outside the EU in exactly two situations.

The first is offering goods or services to people in the Union. The key word is offering, on purpose. A single German tourist stumbling onto your American checkout page does not pull you into the GDPR. Deliberately targeting Europeans does. The signals regulators look for are the obvious ones: prices in euros, shipping options to EU countries, content in German, French or Italian, a marketing campaign aimed at Berlin. If a European could reasonably conclude you meant to sell to them, you are offering.

The second is monitoring behaviour. This one catches companies that swear they have no EU customers. Behavioural monitoring means tracking what identifiable people do: analytics that profile visitors, remarketing pixels, cookies that follow users across sessions, fitness or location tracking, scoring engines. If people in the EU land on your site and your tools watch and profile them, you are monitoring, even if you never sell them a thing. This is the prong that quietly catches advertisers, which is why we pulled it apart in our piece on whether you need a representative for Google Ads.

The GDPR does not ask where your company is. It asks where your users are, and what you do with what you learn about them.

If neither prong applies, you are genuinely outside the GDPR's reach and you do not need a representative. If either one applies, you have one question left.

Question 3: Is the processing occasional?

Even when Article 3(2) catches you, Article 27 carves out a narrow exemption. You do not need a representative if your processing of EU data is occasional, does not include special category data on a large scale, and is unlikely to result in a risk to people's rights.

All three conditions have to hold, and "occasional" is the one that trips people up. Running a live subscription product, a recurring newsletter, an always-on ad campaign or any ongoing service is not occasional. It is continuous by design. The exemption is built for the rare, one-off case: you processed a handful of EU contacts once for a specific event and then stopped. If data flows through your systems as a normal part of how the business runs, assume the exemption does not save you.

Special category data, things like health, biometrics, religion or political views, narrows the exemption further. Touch that on any meaningful scale and the occasional defence essentially evaporates.

So the honest read for most software companies, e-commerce stores, SaaS tools and content businesses with European users is simple: your processing is not occasional, and the exemption is not for you.

Putting it together

Here is the whole decision in one breath. No EU establishment, plus offering or monitoring toward people in the EU, plus processing that is not occasional, equals you need an Article 27 representative. Knock out any one of those and you are clear.

Notice what is not on that list. There is no minimum revenue. There is no employee count. A solo founder with a Stripe link and four German subscribers has the same obligation as a company with a thousand. Article 27 simply does not scale with size, which is exactly why so many small companies assume it cannot apply to them and get it wrong.

Why the answer is worth getting right

It is tempting to file this under "later." Resist that, for two reasons.

The first is enforcement mechanics. A missing representative is the rare violation a regulator can prove from your own website in a single page view. There is no investigation, no forensic data audit, just the plain absence of a named EU contact in your privacy notice. It sits in the higher penalty tier of up to 10 million euros or 2 percent of global annual turnover. And it has happened on its own: in May 2021 the Dutch authority fined the website LocateFamily 525,000 euros purely for failing to appoint a representative, with a recurring penalty on top until it complied. That case exists specifically to show that this is not a paperwork footnote regulators ignore. If you want the broader pattern of how non-EU companies actually get caught, we mapped it out here.

The second reason is quieter and arguably more common: business friction. European buyers, partners and procurement teams increasingly check for a valid representative as part of due diligence. A privacy notice with a real EU contact reads as a company that intends to stay in the market. A blank where the representative should be reads as a company that did not finish its homework, and that costs deals long before any regulator gets involved.

So, do you need one?

If you walked through the three questions and landed on yes, the next step is not to panic or to hire someone in Brussels. Most non-EU companies appoint a specialist service that covers all member states, handles the regulator and data subject contact, and names you properly in your documentation. It is a routine fix, not a project.

If you are still not sure which half you are in, do not guess. The same three questions, asked in order, take about a minute to answer with a tool instead of a flowchart.

The honest summary is the one we started with. This question has a clean answer for almost everyone who asks it, and the cost of guessing wrong runs in both directions: a representative you did not need, or a fine for the one you did. Five minutes of clarity is cheaper than either. Once you know where you stand, you can get back to selling to Europe instead of worrying about it.