When is an Article 27 representative required?

A representative is required when a controller or processor is not established in the EU/UK but is subject to GDPR/UK GDPR because it offers goods or services to individuals in those regions or monitors their behavior. The exemption applies only if processing is occasional, low risk, and does not involve large‑scale special category or criminal data.

Where must the representative be located?

The representative must be established in an EU Member State (or in the UK for UK GDPR) where affected data subjects are located.

Do I Need a GDPR Article 27 Representative?

Q: Do I need a separate EU and UK representative?

Possibly. The EU and UK regimes are separate. If you target both regions without establishments there, you may need two representatives.

Q: What does the representative actually do?

The representative acts as the contact point for supervisory authorities and data subjects, and keeps records available for regulators in the EU or UK.

GDPR Article 27 requires non-EU/UK controllers and processors to appoint a representative in the EU or UK when they offer goods or services to individuals there or monitor their behavior. Use the quick eligibility tool below, then dive into the criteria, exceptions, and examples. If you need a representative, Cruxi can match you with vetted EU/UK providers.

Compare GDPR Article 27 Providers Estimate Cost

On this page

Eligibility tool Core criteria Exceptions Examples FAQ

Quick Eligibility Tool

Answer five questions for a directional view. This is not legal advice — use it to decide whether to consult a representative.

Are you established in the EU/EEA or the UK? Do you offer goods/services to people in the EU/UK or monitor their behavior? (Not sure? See the helper below.) Is your EU/UK processing only occasional? (Not sure? See the helper below.) Does processing involve large‑scale special category or criminal data? Is the processing likely to create risk to individuals’ rights?

Core Criteria (EU + UK)

Article 27 applies when a controller or processor is not established in the EU (or UK) but is subject to GDPR/UK GDPR under the territorial scope rule. That usually means you are offering goods or services to individuals in the EU/UK or monitoring their behavior there.^[1]^[2]

“Offering goods or services”

Indicators include targeting EU/UK users with localized content, pricing in EUR/GBP, shipping to EU/UK, or running localized ads and campaigns.^[2]

“Monitoring behavior”

Examples include tracking individuals online with cookies or SDKs, profiling for marketing, or analyzing behavior for predictions and decisions.^[2]

Not sure? Use the targeting/monitoring helper

Many teams are unsure if they “target” EU/UK users or “monitor” behavior. Use this helper for a quick directional view.

Exceptions (When You Might Not Need a Representative)

An exemption applies only if all are true: processing is occasional, does not involve large‑scale special category/criminal data, and is unlikely to result in risk to individuals’ rights and freedoms.^[1]

Important nuance

If you are unsure whether processing is “occasional,” or whether it creates risk, it’s safer to consult a representative. The exemption is narrow.

Not sure if your processing is “occasional”?

Use this helper to assess whether your EU/UK processing is ongoing or occasional.

Examples (Quick Reality Check)

Likely needs a representative

US SaaS company with EU/UK customers, ongoing analytics and user tracking, and customer support in EU languages.

Possibly exempt

Non‑EU research team running a one‑off survey with a small EU participant pool, no special category data, and low risk.

UK + EU require two reps

Canadian app serving both UK and EU markets without an establishment in either region.

FAQ

Do I need a separate EU and UK representative?

Yes, if you target both regions and are not established there. The EU and UK regimes are separate.

What does the representative actually do?

They act as the contact point for supervisory authorities and data subjects and keep records available for regulators.^[1]

Where should the representative be located?

The representative must be established in an EU Member State (or the UK) where affected data subjects are located.^[1]^[3]

Ready to get quotes?

Cruxi matches you with vetted GDPR Article 27 providers across EU and UK. Compare coverage, SLAs, and pricing in one place.

Request Quotes Cost Calculator

References

^[1] GDPR Article 27 — Representative of controllers or processors not established in the Union (GDPR text).

^[2] EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) — final version.

^[3] ICO guidance on UK GDPR representatives.

GDPR Article 27 · EDPB Guidelines 3/2018 (Final) · ICO UK Representatives

This page is for informational purposes only and does not constitute legal advice. Cruxi is a marketplace/matching service; we are not a law firm and do not provide legal advice. See our Privacy Policy for how we share data with matched providers.