Skip to content
AuditFront
Art.27 GDPR

GDPR Art.27: Representatives of Controllers or Processors Not Established in the Union

What This Control Requires

Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union. The representative shall be established in one of the Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

In Plain Language

If your organisation is based outside the EU but the GDPR still applies to you - because you offer goods or services to people in the EU or you monitor their behaviour - you need someone on the ground inside the EU. That's what Article 27 requires: a formally appointed representative who acts as a local contact point for supervisory authorities and data subjects.

The representative must be established in a Member State where your affected data subjects are. They handle communications from regulators, help facilitate data subject requests, and maintain your Records of Processing Activities. They can be an individual, a law firm, a consultancy, or a specialist representative service, but the appointment must be in writing.

There are narrow exemptions for public authorities, for truly occasional processing that doesn't involve large-scale special category or criminal data, and for processing unlikely to pose risks to individuals' rights. In practice, though, most non-EU organisations that actively target EU individuals will need a representative.

How to Implement

First, determine whether Article 3(2) applies to you. Do you offer goods or services to people in the EU? Signs include EU-language websites, pricing in euros, EU shipping options, or marketing aimed at EU residents. Do you monitor the behaviour of EU-based individuals through tracking, profiling, or analytics? Document your assessment clearly.

If you need a representative, choose one and formalise the appointment in writing. Your representative can be an individual, a law firm, a consultancy, or a specialist GDPR representative service. They must be based in a Member State where your data subjects are located. Draft a written mandate that sets out their role, responsibilities, authority, and engagement terms.

Make sure your representative can actually do the job. They need to be able to respond to supervisory authority enquiries, facilitate data subject requests, and keep your Article 30 records up to date. Give them the information and access they need, establish reliable communication channels, and agree on response time expectations.

Add the representative's details to your privacy notices and all relevant data subject communications. Articles 13 and 14 require you to disclose the representative's identity and contact details wherever applicable. Update your website privacy policy and any other communications that reference your data protection contact information.

Keep the relationship active. Check that your representative is responsive, that communications from regulators and data subjects are being forwarded promptly, and that records are accurate. Review the arrangement periodically and update the representative whenever your processing activities change.

Evidence Your Auditor Will Request

  • Assessment of Article 3(2) applicability and need for EU representative
  • Written mandate formally appointing the EU representative
  • Privacy notices including the representative's identity and contact details
  • Evidence of communication channels and information sharing with the representative
  • Records of Processing Activities maintained by or with the representative

Common Mistakes

  • Non-EU organisations subject to GDPR failing to appoint a representative entirely
  • Representative appointed but not included in privacy notices or data subject communications
  • Representative not adequately resourced or informed to handle inquiries
  • Representative established in a Member State where the organisation has no data subjects
  • No written mandate formalising the appointment and responsibilities

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related

Frequently Asked Questions

Does appointing a representative make them liable for GDPR compliance?
The representative can be contacted by supervisory authorities and data subjects, and can be subject to enforcement proceedings. But the primary compliance responsibility stays with the controller or processor. Think of the representative as a local contact point, not a compliance substitute - appointing one doesn't transfer your obligations.
Can one representative serve multiple organisations?
Yes, absolutely. Specialist GDPR representative services routinely act for multiple non-EU controllers and processors. The Regulation explicitly anticipates this, and it's common practice.
In which Member State should the representative be located?
They need to be in a Member State where the data subjects you're targeting or monitoring are based. If you're dealing with individuals across multiple Member States, pick one where you have a significant concentration of data subjects. The choice should reflect where your actual user base is, not just where it's most convenient for you.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment