Article 27 GDPR, explained
Article 27 is the provision that requires many non-EU companies to appoint an EU representative. Here is its full text, paragraph by paragraph, with what each part actually means.
Article 27 of the GDPR is titled “Representatives of controllers or processors not established in the Union.” Its purpose, set out in Recital 80, is to give supervisory authorities and data subjects someone inside the EU to address. Here is the full text, paragraph by paragraph.
Paragraph 1 — the obligation
Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
If the GDPR reaches you under its extraterritorial scope — Article 3(2), i.e. you offer goods or services to, or monitor, people in the EU — you must appoint an EU representative, and the designation must be in writing.
Paragraph 2 — the exceptions
The obligation laid down in paragraph 1 of this Article shall not apply to: (a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or (b) a public authority or body.
There are two exceptions. The first is narrow: the processing must be occasional, not involve large-scale special-category or criminal data, and be unlikely to result in a risk — all three at once. The second is for public authorities and bodies. Most companies actively serving the EU do not qualify for either.
Paragraph 3 — where the representative sits
The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.
The representative must be in a Member State where your affected data subjects are. A provider with a real EU establishment covers this for you.
Paragraph 4 — what the representative is for
The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
The representative is the point of contact authorities and individuals can address on processing matters — in addition to, or instead of, you. This is the core of what the role does day to day.
Paragraph 5 — your responsibility stays
The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Appointing a representative does not move legal responsibility off you. You can still be pursued directly — the representative is an additional contact, not a liability shield.
In short
If Article 3(2) applies and you are not covered by the two narrow exceptions, you must designate an EU representative in writing, located where your EU data subjects are, to act as the contact point — without that reducing your own responsibility. For the practical side, see our EU GDPR representative guide or check your situation with the compliance checker.
More resources
General information, not legal advice. Last updated 2026-05-23.
Need an EU representative?
Usantis is your official EU representative under Article 27 GDPR — €99/month, set up in about ten minutes.