EU Representative vs DPO vs Privacy Counsel: Who Does What

Three letters, one expensive mix-up. Picture a founder in Austin who shrugs and says his lawyer "handles the GDPR", so he must be covered. Picture a startup in Toronto that proudly appointed a Data Protection Officer and assumed that ticked every European box. Both are wrong in the same direction. They have quietly collapsed three separate jobs, the EU representative, the DPO and outside privacy counsel, into one fuzzy idea of "the GDPR person". When people compare an EU representative vs a DPO they usually discover the two are not rivals at all, they answer completely different questions. And the space between those questions is exactly where fines tend to live.

So let us pull the three apart and lay them on the table. What each one is, what sets it off, who genuinely needs which, and why the cheapest possible error is assuming that one of them quietly covers the others.

The one-breath version

Here is the whole thing before we slow it down. The EU representative is about where you are. If you sit outside the EU but the regulation reaches you, you need a named point of contact inside the Union. The Data Protection Officer is about what you do. Certain kinds of large scale or sensitive processing require an internal watchdog, no matter where your office is. Privacy counsel is the brain you rent when a hard legal question shows up, and it is never something the law forces on you.

Keep those three triggers in your head and most of the confusion evaporates. Now the detail.

The EU representative: a question of where you are

The EU representative is a creature of Article 27. The logic behind it is almost mechanical. Through Article 3(2), the GDPR stretches well past Europe's borders and catches any company outside the EU that offers goods or services to people in the Union or monitors their behaviour. That gives a regulator in Lisbon or Vienna real jurisdiction over a business in Ohio. But jurisdiction is useless if there is nobody to hand the letter to. So the law makes the foreign company plant a flag: appoint, in writing, a representative established inside the Union who can be reached by authorities and by individuals.

Notice what the trigger is not. It is not your revenue, your headcount or your industry. It is your location plus the fact that you are caught at all. A solo founder with a few hundred European newsletter subscribers is in scope on the same terms as a multinational. The only real escape hatch is genuinely occasional, low risk processing, and for an always on product or website that hatch is closed. We wrote the full plain English breakdown in GDPR Article 27 explained, and a decision guide for the "am I even caught" question in do I need a GDPR representative.

What the representative actually does is narrow and concrete. It is the addressable contact point. Supervisory authorities approach it about your processing, individuals can turn to it to exercise their rights, it is named in your privacy notice so people can find it, and it keeps a copy of your record of processing available on European soil. What it does not do is run your compliance. It receives, routes and holds. It is the mailbox and the witness, not the consultant.

The DPO: a question of what you do

The Data Protection Officer comes from a different part of the regulation entirely, Article 37, and it is triggered by the nature of your activity, not your address. You need a DPO in three situations: you are a public authority, your core activities consist of large scale regular and systematic monitoring of people, or your core activities involve large scale processing of special category data such as health, biometric or similar sensitive information. A company in Berlin and a company in Boston face the exact same test. Geography is irrelevant here.

And the job is the mirror image of the representative's. A DPO looks inward. It advises the organisation on its obligations, monitors how the business actually handles personal data, helps with data protection impact assessments, and acts as a contact for authorities and individuals on those internal matters. Crucially, the DPO has to be independent. It cannot be told how to do the role, it reports to the highest level of management, and it cannot be punished for doing its job honestly. A DPO is your conscience with a statutory backbone.

The representative answers "where can Europe reach you". The DPO answers "who inside is watching how you handle data". They are not two names for the same hire.

This is why the two roles get confused and why the confusion is dangerous. They both involve being a contact point, they both touch authorities and individuals, and both can be filled by an outside provider. But one is forced on you by where you sit and the other by what you process. Stack the two triggers and you get four honest outcomes: you need the representative only, the DPO only, both, or neither. For a typical non-EU online business with European users and no large scale sensitive processing, the realistic answer is the representative and not the DPO.

Privacy counsel: the brain you rent when it gets hard

Then there is the privacy lawyer, sometimes an external firm, sometimes fractional in house counsel. This one is easy to place precisely because the GDPR never mentions it as an obligation. You hire counsel because you want judgement, not because a regulation made you.

Counsel earns its fee on the hard, bespoke questions. Is this new feature legal in the way we have designed it. How do we word a data processing agreement with a vendor. We just received a regulator's letter, now what. There is a cross border transfer here, does it hold up. That is real value, and for a complex or fast moving product it can be money very well spent. But two things matter. Counsel does not satisfy the Article 27 requirement, and it does not satisfy the Article 37 requirement. A brilliant privacy attorney in New York is not your EU representative, and is not your DPO either. They advise. The other two roles are positions you have to fill.

Can one person wear all three hats?

Here is the trap that catches the tidy minded. It feels efficient to let one person or one vendor be your representative, your DPO and your legal adviser all at once. Fewer invoices, one throat to choke. The regulation pushes back on at least part of that instinct.

European data protection guidance on territorial scope takes the position that the representative and the DPO should not be the same person. The reasoning is clean once you see it. The DPO has to be independent and cannot be instructed on how to carry out the role. The representative, by contrast, acts on behalf of the company and can itself be drawn into enforcement proceedings over the company's failures. Independence on one side, mandated agency and exposure on the other. Those two postures genuinely conflict, so bundling them into one seat undermines the whole point of the DPO. Counsel sits more comfortably alongside either, but it still does not convert into either. Hiring a lawyer does not appoint a representative, and naming a DPO does not appoint a lawyer.

So which do you actually need?

Run the two statutory triggers in order and you will land in the right place.

First, location. Are you established outside the EU while offering to or monitoring people inside it, on anything more than an occasional basis? If yes, you need an EU representative. This is the one most non-EU companies miss, because nothing in their day to day forces it on them until a complaint or a due diligence question surfaces it.

Second, activity. Do your core activities involve large scale systematic monitoring of individuals, or large scale special category data, or are you a public authority? If yes, you also need a DPO. If no, you almost certainly do not, and paying for one anyway is just expensive comfort.

Third, difficulty. Are you facing a genuinely hard legal call, a regulator, a tricky contract or a transfer question? Then bring in counsel for that question. Not as a substitute for the first two, but for the judgement neither of them is there to give. For the wider map of how these roles fit around the representative obligation, the EU representative hub lays the territory out.

The price of guessing wrong

The reason this is worth getting straight is that one of these gaps is brutally easy to prove. A missing EU representative needs no investigation and no forensics. A regulator opens your privacy notice, sees no representative, and the breach is established in a single page view. It sits in the penalty tier of up to 10 million euros or 2 percent of global annual turnover. In 2021 the Dutch authority fined the website LocateFamily 525,000 euros purely for not appointing one, with a recurring penalty until it complied. The pattern of how non-EU companies actually get caught is laid out in GDPR enforcement against non-EU companies, and it almost always starts with something else before the missing representative surfaces as the easy, undeniable add on charge.

The quieter cost is reputational. The presence or absence of a named EU contact is visible to any European buyer, partner or procurement team doing diligence. A real representative reads as a company that intends to operate properly. A confident "our lawyer handles it" reads, to anyone who knows the difference, as a company that has not finished the job.

None of this is complicated once the three jobs stop blurring together. The representative is about where you are, and most non-EU companies with European users need one. The DPO is about what you do, and far fewer need it. Counsel is the judgement you buy when a question is genuinely hard. Sort them by their triggers, fill the seats the law actually requires, and you will never again be the founder who thought one of them quietly covered the rest.