GDPR Article 27 Explained in Plain English

Article 27 is one of the shortest provisions in the entire GDPR. You can read it over a coffee. And yet that single paragraph quietly creates a hard legal obligation for thousands of companies that have never rented an office in Europe, never hired a European, and in some cases never knowingly sold to one. It is the most overlooked sentence in the regulation, and the one that turns up first when a complaint lands, because it is the easiest of all to prove.

So let us read it the way a human would, not the way a lawyer bills for. What it says, why it exists, who it catches, what the role actually involves, and what happens to the companies that decide it is somebody else's problem.

What Article 27 actually says

Stripped to its core, Article 27 says this: if your company is caught by the GDPR but has no establishment in the EU, you must designate a representative inside the Union, in writing.

The phrase "in writing" matters more than it looks. This is not an informal arrangement or a line in your privacy policy that you wrote yourself. It is a formal designation, a mandate, that authorises a specific person or company to act as your point of contact in Europe. The representative has to be established in a member state where some of the people whose data you handle actually are.

There is a carve out, and it is narrow. You do not need a representative if your processing is occasional, does not involve special category data on a large scale, and is unlikely to result in a risk to people's rights. All three conditions have to hold at once. Public authorities are also exempt. Everyone else who is in scope is in scope.

That is the whole mechanism. One representative, formally appointed, sitting inside the Union, reachable. The complexity people imagine around Article 27 is almost always imported from somewhere else. The article itself is blunt.

Why the rule exists at all

To understand Article 27 you have to understand the problem it solves. The GDPR applies to companies far beyond Europe's borders. Through Article 3(2), it reaches any business outside the EU that offers goods or services to people in the Union or monitors their behaviour. That is deliberately wide. It means a regulator in Italy can have jurisdiction over a company in Ohio.

But jurisdiction on paper is worthless if there is nobody to deliver the letter to. A Sicilian data protection authority cannot easily serve notice on a Delaware LLC, chase it across the Atlantic, or expect a citizen in Naples to do so. Article 27 closes that gap. It forces the foreign company to plant a flag inside the Union, a named address where European law and European individuals can reach it. The representative is, in plain terms, the EU's way of making sure a non-EU company is not unreachable.

Article 3 gives Europe jurisdiction over you. Article 27 makes sure Europe has somewhere to send the mail.

Seen that way, the obligation stops feeling arbitrary. It is the practical counterweight to the regulation's long reach. If you benefit from the European market, the deal is that you remain contactable within it.

Who it applies to, and who is genuinely exempt

The trigger for Article 27 is not your size, your revenue or your industry. It is two prior questions. First, are you caught by the GDPR at all, meaning you have no EU establishment but you offer to or monitor people in the EU? Second, is your processing more than occasional? If both are true, the article applies.

The thing that surprises people is the absence of a threshold. There is no "under this many users you are fine" line. A solo founder running a paid newsletter with a few hundred European subscribers is as much in scope as a multinational. The regulation cares about what you do with personal data, not how big your company is. We wrote a full decision guide on exactly this question in do I need a GDPR representative, and the honest answer for most ongoing online businesses with European users is yes.

The exemption is real but it is small. "Occasional" means genuinely sporadic, a one off, not the steady background hum of a live product, a recurring subscription or an always on website. The moment your processing of EU data is a normal part of how the business runs, the occasional defence is gone.

What your representative actually does

This is where Article 27 gets demystified, because the role is more modest than the dread around it suggests.

Your representative is the point of contact. Supervisory authorities address it on all matters related to your processing. Individuals in the EU can turn to it to exercise their rights, which is why it has to be named somewhere they can find it, normally in your privacy notice. And it is expected to keep your record of processing activities available, so that when an authority asks, there is a copy on European soil.

What it does not do is run your compliance for you. The representative does not write your privacy policy, build your consent banner or answer your data subject requests on the merits. It receives, routes and holds. You remain the controller. The representative is the mailbox and the witness, not the lawyer doing your homework.

That distinction is exactly why the appointment is usually painless once people understand it. You are not outsourcing your obligations. You are satisfying one specific, mechanical requirement: be reachable inside the Union.

What a representative is not

The single most common confusion is between the Article 27 representative and the Data Protection Officer. They sound similar and they are completely different.

A Data Protection Officer, under Article 37, is an internal compliance function. It advises your organisation, monitors how you handle data, and is required when the nature of your processing demands it, for example large scale monitoring or large scale special category data. A DPO is about what you do. It is triggered whether you sit in Berlin or Boston.

The Article 27 representative is about where you are. It exists purely because you are outside the EU and the regulation needs a contact point inside it. You can need a representative and not a DPO, a DPO and not a representative, both, or neither. They are not interchangeable, and a vendor that conflates them is one to be wary of. For the wider map of these roles, the EU representative hub lays them out side by side.

What happens if you ignore it

Here is the uncomfortable part. A missing representative is the easiest GDPR violation in the book to prove. There is no investigation, no data forensics, no argument about intent. A regulator looks at your privacy notice, sees no EU representative, and the breach is established in a single page view. It sits in the penalty tier of up to 10 million euros or 2 percent of global annual turnover.

It is not theoretical either. In 2021 the Dutch authority fined the website LocateFamily 525,000 euros purely for failing to appoint a representative, with a recurring penalty until it complied. That case stands as the marker: Article 27 is enforced on its own, not only as a footnote to a bigger case. The broader pattern of how non-EU companies get caught, almost always starting with something else and then surfacing the missing representative, is laid out in our piece on GDPR enforcement against non-EU companies.

There is a quieter cost too. Your representative, or its absence, is visible to anyone doing due diligence: European buyers, partners, procurement teams. A named EU contact reads as a company that intends to operate in the market properly. A blank reads as a company that did not finish the job.

How to appoint one without overthinking it

The practical path is short. Confirm that the GDPR applies to you and that your processing is not occasional. Appoint a representative established in the EU, in writing. Name it in your privacy notice so individuals and authorities can find it. Keep your record of processing available for it. That is the obligation, start to finish.

Most non-EU companies do not hire an individual in one country. They use a specialist service that acts as representative across the member states, handles the regulator and individual contact, and documents the appointment correctly. It is a routine, bounded task, not a project that consumes your quarter.

Article 27 deserves neither panic nor neglect. It is a short rule with a clear purpose: if Europe's law reaches you, Europe needs somewhere to reach you back. Read it once, answer the two questions honestly, and either you are exempt or you appoint a representative and move on. The companies that get burned are rarely the ones who took it seriously. They are the ones whose first letter from a European regulator went to an address that did not exist.