Are you required by Article 27 of the General data protection regulation (GDPR) to appoint an EU representative?
If your business is not established in the EU and offers goods or services to, or is monitoring the
behaviour of EU residents, then GDPR Art 27 almost certainly requires you to appoint a representative.
Failure to comply with Article 27 may result in a risk of
regulatory fines of up to €10,000,000 or 2% of your global turnover (whichever is greater).
Not sure if Article 27 of GDPR requires you to appoint a representative? Take our free
When you appoint Juksta to act as your representative in the
European Economic Area (EEA), our services include:
Firstly, many businesses outside the EU are surprised to learn that the General Data
Protection Regulation (GDPR) may also apply to them, not just EU companies.
Article 3 (2) of GDPR sets out that GDPR applies to data
controllers or processors not established in the Union when they
are processing personal data of data subjects who are in the Union, and the processing
activities relate to:
If your business is outside the EU and you do either of these, then GDPR applies to you.
Secondly, Article 27 GDPR requires the appointment of an EU representative for businesses
not established in the EU.
Article 27 (1) requires that data controllers or processors not established in
the Union, which GDPR applies to, shall designate a representative in the Union.
Article 27 (3) requires the representative to be in one of the EU member states
where the businesses data subjects, whose personal data is processed or whose behaviour is
Thirdly, GDPR is a significant regulatory compliance risk to your business.
By December 2018 the total amount of GDPR related fines was less than €500,000, whereas by
December 2019 fines exceeded €400,000,000. The message from regulators in EU member
states is clear; the honeymoon is over. Compliance with GDPR is a
requirement and regulators are actively enforcing.
With fines of up to €10,000,000 or 2% of total revenue (whichever is greater)
non-compliance represents a significant financial
risk to your business, and should not be ignored.
If your business is outside the EU and you offer goods or services to EU residents,
or monitor EU residents behaviour (e.g. web analytics) then you more than likely are required
to appoint an Article 27 GDPR representative. This representative must be in the EU. And if you choose not to appoint
a representative, you may be exposing your
business to significant regulatory risk.
Yes, there is one exemption. Article 27 (2) states:
"The obligation laid down in paragraph 1 of this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special
categories of data as referred to in Article 9(1) or processing of personal data relating to
criminal convictions and offences referred to in Article 10, and is unlikely to result in a
risk to the rights and freedoms of natural persons, taking into account the nature,
context, scope and purposes of the processing; or
(b) a public authority or body."
If your organisation can demonstrate the processing of personal data is "occasional" and
unlikely to result in a risk to the rights and freedoms of natural persons, then it is doubtful
you are required to appoint a representative. The European Data Protection Board (EDPB) provides
the following assistance in interpreting what is meant by "occasional":
"In line with positions taken previously by the Article 29 Working Party,
the EPDB considers that a processing activity can only be considered as
“occasional” if it is not carried out regularly, and occurs outside the regular
course of business or activity of the controller or processor."
- see Guidelines 3/2018, published November 2019
If you determine your processing is "occasional", you should document your decision and be
prepared to prove that position. If you are unsure in any way,
it may be worth considering the cost and risk of this position in comparison to the cost
of appointing a representative.
No, the role of a data representative is not the same
as a Data Protection Officer (DPO) and comes with a separate
set of responsibilities.
A DPO is an integral part of your organisations GDPR compliance program,
with responsibilities to independently oversee data protection strategies,
educate staff and assess and ensure GDPR compliance. Whereas, the
representatives' primary purpose is to act on behalf of the data controller or
processor to facilitate communication with EU data subjects on all issues
relating to your personal data processing activities, as well as communication from
In November 2019 the European Data Protection Board (EDPB) published
guidelines stating they do not consider the function of representative
compatible with the role of an external DPO:
"Such requirement for a sufficient degree of autonomy and independence of a
data protection officer does not appear to be compatible with the function of
representative in the Union. The representative is indeed subject to a mandate
by a controller or processor and will be acting on its behalf and therefore under its direct
instruction. The representative is mandated by the controller or processor it represents, and
therefore acting on its behalf in exercising its task, and such a role cannot be compatible
with the carrying out of duties and tasks of the data protection officer in an independent manner."
If you have already engaged an external DPO, you should appoint a different
provider to act as your representative.
Article 27 GDPR Compliance
Appointing an EU representative ensures compliance with Art 27 GDPR and eliminates the risk
of a significant regulatory fine for not having a representative.
Demonstrate to customers your commitment to their
rights to be informed about the collection
and use of their personal data.
Article 30 GDPR Compliance
Personal data processing activities,
related to data subject access requests made via our system,
are recorded to be compliant to Article 30 (1) & (2).
Just register with our service online to appoint us as your GDPR representative in the EU.
Takes less than 5 minutes.
No Lock-in contracts
Services are provided month-to-month, with no long term subscriptions.
You can exit at anytime, with no additional fees or charges.
Free trial, low monthly fees
Try the service free for 30 days with no obligation to proceed and no requirement to provide
your credit card. If you continue fees start from only €19 a month.
It is relatively easy to comply with Article 27. By appointing and maintaining a
Representative you will be compliant.
We are happy to act on your behalf, as your Article 27 GDPR Representative. Our
monthly, flat-fee price is based on the size of your business.
Select your business size to appoint us as your GDPR representative in the EU today.