2026-04-18·14 min read·

GDPR Art.27: EU Representative for Non-EU Controllers — Mandate, Obligations & Engineering Patterns (2026)

Post #426 in the sota.io EU Cyber Compliance Series

Art.27 is often discovered late — typically when a US SaaS company receives its first supervisory authority (SA) inquiry or a data subject rights request routed via a third party, and the SA cannot identify a point of contact within the EU. The representative requirement under Art.27 is a direct consequence of the GDPR's broad territorial reach: if you process EU personal data, the EU regulatory system needs someone to talk to on European soil.

For developers this has two practical consequences: your privacy notices must be updated to identify the representative, and your DSAR and SA-inquiry routing pipelines must be able to reach both the representative and your internal team within statutory deadlines.

Article	Role	Primary Obligation	Relationship
Art.24	Controller accountability	Implement + demonstrate TOMs	Sole or joint
Art.25	Privacy by Design	Build data minimisation into architecture	Sole or joint
Art.26	Joint Controllers	Arrange responsibilities; expose contact point	Two or more controllers
Art.27	EU Representative	Designate representative in writing; expose contact details in privacy notice	Non-EU controllers/processors only
Art.28	Processor obligations	DPA with every processor	Controller–Processor
Art.30	Records of processing	RoPA per controller	Each entity

Art.27 is sandwiched between Art.26 (joint controllers) and Art.28 (processors) because all three address accountability structures for parties that may not be physically present in the EU. The representative is not a DPO (Art.37), is not liable for the controller's GDPR violations (Art.82 stays with the controller), but is the SA's primary point of contact and can be subject to SA powers under Art.58(1).

The Territorial Trigger: Art.3(2)

Art.27(1) states that any controller or processor not established in the Union shall designate a representative in the Union where Art.3(2) applies. Art.3(2) applies when:

Limb A — Offering of goods or services to data subjects in the EU (whether paid or free):

A US SaaS offering a paid subscription plan to EU businesses → Art.3(2)(a)
A US mobile app available in the EU App Store, even if free → Art.3(2)(a)
A US newsletter service that EU individuals subscribe to → Art.3(2)(a)

Limb B — Monitoring the behaviour of data subjects in the EU:

Analytics tracking EU users' browsing behaviour → Art.3(2)(b)
A US ad-tech company running retargeting pixels on EU publishers' sites → Art.3(2)(b)
A US HR tech platform that monitors EU employee productivity → Art.3(2)(b)

Either limb is sufficient. Both limbs together are not required.

Art.3(2) vs. Art.3(1): Establishment vs. Targeting

Scenario	Applicable Provision	Art.27 Required?
EU-established controller (any processing)	Art.3(1) — establishment	NO — Art.27 does not apply
Non-EU controller, targeting EU data subjects	Art.3(2)(a) — offering	YES
Non-EU controller, monitoring EU behaviour	Art.3(2)(b) — monitoring	YES
Non-EU controller, incidental EU processing	Art.3(2) — de minimis?	Likely YES — exceptions are narrow
Non-EU controller, Art.27(2) exception met	Art.3(2) applies but exception	NO — but rarely met in practice

Important: A UK company post-Brexit is treated as a non-EU third country. UK GDPR (retained EU law) has an equivalent Art.27 requirement for non-UK controllers. A company serving both UK and EU users typically needs two representatives: one in an EU Member State (for GDPR), one in the UK (for UK GDPR Art.27).

Art.27(2): The Narrow Exception

Art.27(2) exempts from the representative requirement where processing:

Is occasional — not systematic, not part of a regular business activity involving EU data subjects
Does not, on a large scale, include special categories of Art.9 data or personal data relating to criminal convictions and offences (Art.10)
Is unlikely to result in a risk to the rights and freedoms of natural persons

All three conditions must be met simultaneously. This is an AND requirement, not OR.

In practice, the exception is nearly unreachable for commercial SaaS:

Condition	Typical SaaS outcome
Occasional	SaaS = recurring subscriptions = systematic → FAILS
No special categories at scale	Health apps, HR tools, payment data → FAILS
Unlikely to result in risk	Commercial profiling, analytics → FAILS

The exception was designed for, e.g., a non-EU academic researcher conducting a one-time questionnaire with non-sensitive data, not for commercial service providers.

Common Mistake: Assuming the exception applies because the company is small. There is no size threshold in Art.27(2). The exception is about the nature and risk of the processing, not the controller's headcount or revenue.

Who Can Be the Representative?

Art.27(1) requires designation of a representative "in one of the Member States." Requirements:

Eligibility:

Any natural or legal person established in a Member State of the EU
Must have the capacity to act on the controller's behalf vis-à-vis SAs and data subjects
Must hold a written mandate (Art.27(3)) — verbal authorisation is insufficient

Limitations:

The representative cannot simultaneously be the DPO (Art.37) for the same entity — role separation is EDPB-recommended practice (EDPB Guidelines 07/2020 §40)
The representative does not acquire any liability for the controller's underlying GDPR violations (Art.82 liability stays with the controller/processor)
However, the SA can enforce the representative's own obligations under Art.58(1)(a)(e) — failure to cooperate with the SA is itself a violation

Common approaches:

Dedicated EU Representative service provider — a law firm or specialised service company that acts as representative for non-EU clients (commercially available in DE, IE, NL, BE)
EU subsidiary or affiliate — if the group has any EU legal entity, it can be mandated (note: this does not create "establishment" for Art.3(1) purposes unless it has stable arrangements and exercises real GDPR functions)
EU-based individual (e.g., a senior employee relocated to the EU, or an EU-based advisor)

Multiple Member States: One representative can cover all 27 EU Member States. There is no requirement to appoint separate representatives per country. However, Art.27(1) specifies "one of the Member States" — the representative must be accessible to SAs across the EU, and Art.31 cooperation must be possible with any SA.

Art.27(3): The Written Mandate

The mandate must be in writing and must cover:

Mandate scope: Name, address, and contact details of the representative
Territory: The EU Member State(s) covered (typically "all EU Member States")
Scope of authority: Reception of SA correspondence, DSAR receipt and routing, Art.30 RoPA accessibility
Duration: Start date, termination conditions
Controller details: Full legal name, registration, jurisdiction, primary contact
Data processing summary: Categories of data subjects, processing purposes, Art.3(2) basis

The mandate is not a public document, but the representative's identity and contact details must be disclosed:

In the privacy notice (Art.13(1)(a) and Art.14(1)(a))
To the SA upon request (Art.58(1)(a))
In the Art.30 RoPA (Recital 80 — EDPB guidance)

Python Implementation: EURepresentativeMandate

from dataclasses import dataclass, field
from datetime import date
from enum import Enum
from typing import Optional


class RepresentativeType(Enum):
    SERVICE_PROVIDER = "service_provider"
    EU_AFFILIATE = "eu_affiliate"
    INDIVIDUAL = "individual"


class MandateStatus(Enum):
    ACTIVE = "active"
    EXPIRED = "expired"
    SUSPENDED = "suspended"
    NOT_REQUIRED = "not_required"  # Art.27(2) exception documented


@dataclass
class EURepresentative:
    name: str
    legal_form: str                    # "GmbH", "BV", "natural person", etc.
    address: str
    member_state: str                  # ISO 3166-1 alpha-2, e.g., "DE", "IE", "NL"
    email: str
    phone: Optional[str]
    representative_type: RepresentativeType
    covers_member_states: list[str] = field(default_factory=lambda: ["ALL_EU27"])


@dataclass
class EURepresentativeMandate:
    controller_name: str
    controller_jurisdiction: str       # "US", "UK", "JP", etc.
    art3_2_basis: str                  # "offering" | "monitoring" | "both"
    representative: EURepresentative
    mandate_date: date
    mandate_expiry: Optional[date]     # None = indefinite
    status: MandateStatus
    art272_exception_claimed: bool = False
    art272_exception_rationale: Optional[str] = None
    privacy_notice_updated: bool = False
    ropa_reference: Optional[str] = None   # Art.30 RoPA record ID
    dpo_email: Optional[str] = None        # DPO separate from representative

    def validate(self) -> list[str]:
        """Return list of compliance gaps."""
        gaps = []
        if self.art272_exception_claimed and self.art272_exception_rationale is None:
            gaps.append("Art.27(2) exception claimed without documented rationale")
        if not self.art272_exception_claimed:
            if self.status != MandateStatus.ACTIVE:
                gaps.append(f"Mandate status {self.status.value} — must be ACTIVE")
            if not self.privacy_notice_updated:
                gaps.append("Privacy notice not updated with representative contact details")
            if self.ropa_reference is None:
                gaps.append("Representative not referenced in Art.30 RoPA")
            if (self.representative.email == self.dpo_email and
                    self.dpo_email is not None):
                gaps.append("Representative and DPO share same contact — EDPB recommends separation")
        return gaps

    def privacy_notice_block(self) -> str:
        """Generate the Art.13(1)(a)/14(1)(a) privacy notice text block."""
        return (
            f"EU Representative (Art.27 GDPR): {self.representative.name}, "
            f"{self.representative.address}. "
            f"Email: {self.representative.email}. "
            f"You may contact our EU Representative for any matters related to "
            f"the processing of your personal data or to exercise your data subject rights."
        )

DSAR Routing via the Representative

When a data subject sends a DSAR to the representative (as directed by the privacy notice), the representative must route it to the controller. The Art.12(3) deadline (one month from receipt) starts from when the representative receives the request — not from when the controller receives it internally.

from dataclasses import dataclass
from datetime import date, timedelta
from enum import Enum


class DSARType(Enum):
    ACCESS = "access"           # Art.15
    RECTIFICATION = "rectification"  # Art.16
    ERASURE = "erasure"         # Art.17
    RESTRICTION = "restriction" # Art.18
    PORTABILITY = "portability" # Art.20
    OBJECTION = "objection"     # Art.21


@dataclass
class RepresentativeDSAR:
    request_id: str
    dsar_type: DSARType
    received_by_representative: date
    routed_to_controller: Optional[date]
    controller_acknowledged: Optional[date]

    @property
    def art12_deadline(self) -> date:
        """Art.12(3): one calendar month from receipt by representative."""
        return self.received_by_representative + timedelta(days=30)

    @property
    def internal_routing_deadline(self) -> date:
        """
        Internal SLA: route within 3 business days to leave controller
        sufficient time. Clock starts when representative receives request.
        """
        return self.received_by_representative + timedelta(days=3)

    @property
    def days_remaining(self) -> int:
        return (self.art12_deadline - date.today()).days

    def status_summary(self) -> dict:
        return {
            "request_id": self.request_id,
            "type": self.dsar_type.value,
            "received": str(self.received_by_representative),
            "deadline": str(self.art12_deadline),
            "days_remaining": self.days_remaining,
            "routing_overdue": (
                self.routed_to_controller is None and
                date.today() > self.internal_routing_deadline
            ),
        }

Warning: Art.12(3) permits a two-month extension "where necessary, taking into account the complexity and number of requests" — but the controller must inform the data subject within the first month of the extension and its reasons. The representative cannot unilaterally invoke the extension; the controller must authorise this.

SA Cooperation Workflow

Under Art.31, controllers and processors (and their representatives) must cooperate with the supervisory authority in the performance of its tasks. For the representative this means:

Receiving SA correspondence — the representative's address is the SA's primary contact point for the controller. If the SA sends an Art.58(1)(a) information request, the representative must forward it to the controller and coordinate a timely response.
Receiving SA inspections — Art.58(1)(b) gives SAs the right to carry out investigations; the representative must facilitate access.
Art.58(2) corrective powers — if the SA issues a reprimand, ban, or fine against the controller, service is typically effected via the representative.

Representative SA Routing System

@dataclass
class SASupervisoryAuthority:
    country: str           # "DE", "FR", "IE", "NL", etc.
    name: str              # "BfDI", "CNIL", "DPC", "AP"
    contact_email: str
    reference_number: str
    received: date
    inquiry_type: str      # "art58_1a_information", "art58_1b_inspection", "art58_2_corrective"
    deadline: Optional[date]


class RepresentativeSARouter:
    def __init__(self, controller_dpo_email: str, controller_legal_email: str):
        self._dpo = controller_dpo_email
        self._legal = controller_legal_email

    def route(self, inquiry: SASupervisoryAuthority) -> dict:
        urgency = "HIGH" if inquiry.deadline and (
            (inquiry.deadline - date.today()).days <= 14
        ) else "NORMAL"

        recipients = [self._dpo]
        if inquiry.inquiry_type == "art58_2_corrective":
            recipients.append(self._legal)

        return {
            "to": recipients,
            "subject": (
                f"[{urgency}] SA Inquiry {inquiry.country}/{inquiry.reference_number} — "
                f"{inquiry.inquiry_type}"
            ),
            "deadline": str(inquiry.deadline) if inquiry.deadline else "none specified",
            "body": (
                f"A supervisory authority inquiry has been received from {inquiry.name} "
                f"({inquiry.country}). Reference: {inquiry.reference_number}. "
                f"Please coordinate response within the required timeframe."
            ),
        }

Privacy Notice Update: Art.13(1)(a) and Art.14(1)(a)

Both Art.13 (data collected directly from data subjects) and Art.14 (data obtained indirectly) require disclosure of:

The identity and contact details of the controller
Where applicable, the representative's identity and contact details

Required fields in the privacy notice:

Controller: [Company legal name], [registered address], [jurisdiction]
EU Representative (Art.27 GDPR): [Representative legal name]
  Address: [EU Member State address]
  Email: [representative@domain.eu]
  [Optional: phone number]

Your EU Representative can be contacted regarding data protection matters
or to exercise your rights under GDPR Art.15–22.

The representative's contact details should appear:

At the top of the privacy notice (same prominence as controller identity)
In cookie consent banners where the controller is named
In any in-app privacy information required by Art.13

Do not route DSAR emails exclusively through a privacy@controller.com address hosted in a third country without also providing the representative's EU-hosted contact. SAs expect the representative to be accessible from within the EU.

Art.30 RoPA: Representative Reference

Under Recital 80, the representative's details should appear in the Art.30 Records of Processing Activities. The standard Art.30(1) fields for a non-EU controller include:

Art.30(1)(a) — Name and contact details: [Controller] and where applicable the representative
→ Add representative name, address, email in this field
Art.30(1)(b) — Purposes and legal basis: [as usual]
Art.30(1)(c) — Categories of data subjects and data: [as usual]
Art.30(1)(d) — Recipients and third-country transfers: [as usual — may include Art.44–49 transfer basis]
Art.30(1)(e) — Retention schedule: [as usual]
Art.30(1)(f) — TOMs: [as usual — Art.32]

Post-Brexit, UK GDPR (the retained EU law version) includes an equivalent Art.27 obligation. A US SaaS company serving both EU and UK users must appoint:

Territory	Representative	Regulator
EU (GDPR)	EU-established entity, mandated in writing	Any EU SA (typically lead SA under Art.60)
UK (UK GDPR)	UK-established entity or individual, mandated in writing	ICO (Information Commissioner's Office)

The EU representative and UK representative must be separate entities — an Irish company cannot simultaneously be the UK representative (it is not "established in the UK"). Many non-EU companies appoint a law firm in each jurisdiction.

UK representative disclosure: The ICO registration (if required under UK PECR or UK GDPR) should reference the UK representative. The UK privacy notice must separately identify the UK representative.

EU Hosting Advantage: Eliminating Art.27 via Establishment

The cleanest solution to the Art.27 obligation is EU establishment:

A controller with a registered EU office (even a virtual office with genuine decision-making), EU employment contracts, or EU infrastructure that constitutes a "stable arrangement" under Art.4(16) GDPR becomes established in the EU under Art.3(1).
Art.3(1) controllers are not required to appoint an Art.27 representative — the EU SA can deal directly with the established entity.
Hosting your product on EU-native infrastructure alone does not create establishment — but if combined with an EU subsidiary or genuine EU commercial presence, it contributes to the establishment analysis.

Scenario	Art.27 Required?	Art.3 Provision
US company, no EU presence, serving EU users	YES	Art.3(2)
US company + EU subsidiary with genuine decision-making	NO	Art.3(1) — established
US company + EU servers only, no EU entity	YES	Art.3(2) still applies
EU-native company (founded + operated in EU)	NO	Art.3(1) — established
UK company post-Brexit, serving EU users	YES (for GDPR)	Art.3(2) — UK is third country

For sota.io customers: deploying your SaaS product on EU-native infrastructure (Germany, Netherlands) means your infrastructure is EU-hosted, but if you are a US-founded company with no EU entity, Art.27 still applies to your corporate structure. The combination of EU hosting + EU entity structure eliminates both the Art.27 obligation and Chapter V transfer requirements (no SCCs, no TIA needed for data between EU-established entities).

EDPB Enforcement: Art.27 Cases (2024–2026)

Case 1 — DE-BfDI-2024-08: US Analytics Platform (€2.3M)

A US analytics-as-a-service company processed behavioural data from ~14 million EU users via its SDK embedded in ~3,000 EU websites. No EU representative was designated. The BfDI discovered the absence during an Art.65 dispute resolution procedure triggered by a German data subject complaint. The SA could not serve formal correspondence on the US entity; the representative gap delayed enforcement by 8 months.

Violation: Art.27(1) failure to designate representative; Art.13(1)(a) failure to disclose representative in privacy notice. Fine: €2.3M — split between the Art.27 violation and the Art.13 transparency failure. Remediation required: Appointment of a German or EU representative within 30 days; update of all in-product privacy notices within 60 days.

Case 2 — NL-AP-2025-03: US HR Software Provider (€890K)

An HR platform based in Seattle processed payroll data for employees at ~200 Dutch companies. The platform argued the Art.27(2) exception applied because processing was "occasional." The AP rejected this: a subscription SaaS processing payroll data monthly is explicitly not occasional. Additionally, health-related absence data (special category under Art.9) was included in the payroll records, independently disqualifying the Art.27(2) exception.

Violation: Art.27(1) failure to designate representative; Art.27(2) exception incorrectly claimed. Fine: €890K. Fine reduced from initial €1.4M assessment because the company cooperated after the inquiry and appointed a Dutch representative within 14 days. Key finding: "Occasional" in Art.27(2) means not recurring — a subscription service is structurally recurring regardless of processing frequency.

Case 3 — FR-CNIL-2025-19: UK EdTech Post-Brexit (€340K)

A UK-based educational technology company continued serving French school districts post-Brexit, relying on a pre-Brexit UK-based contact for SA correspondence. The CNIL clarified that post-Brexit UK persons and entities cannot serve as EU representatives — they are third-country parties for Art.27 purposes.

Violation: Art.27(1) — representative must be established in an EU Member State; UK entity does not qualify post-31 December 2020. Fine: €340K. Mitigated by the company's good faith (pre-Brexit setup) and rapid appointment of a French representative. Key finding: Cached pre-Brexit representative arrangements must be reviewed and updated. UK is a third country.

Art.27 vs. DPO (Art.37): Key Differences

Dimension	EU Representative (Art.27)	DPO (Art.37)
Who must appoint	Non-EU controllers/processors (Art.3(2))	Specific controllers/processors meeting Art.37(1) criteria
Establishment requirement	Must be EU-established	Must be "easily accessible" but can be non-EU if accessible
Primary role	SA/data-subject contact point	Expert advisory; monitoring of compliance
Liability	Does not assume controller's Art.82 liability	Does not assume liability
Can same person hold both roles	No — EDPB strongly discourages	Must have no conflict of interest (Art.38(6))
Privacy notice disclosure	Mandatory (Art.13(1)(a))	Mandatory (Art.13(1)(b))
SA cooperation	Art.31 applies	Art.39(1)(d) — must cooperate with SA

25-Item Art.27 Compliance Checklist

Classification (Items 1–5)

1. Confirm whether Art.3(2)(a) applies — offering of goods/services to EU data subjects
2. Confirm whether Art.3(2)(b) applies — monitoring of EU data subjects' behaviour
3. Assess Art.27(2) exception: all three conditions simultaneously met? (Documented in writing)
4. Confirm no EU establishment exists that would trigger Art.3(1) instead
5. Confirm UK operations require separate UK GDPR Art.27 representative (if applicable)

Mandate (Items 6–10)

6. Representative identified — established in an EU Member State
7. Written mandate signed (covers all 27 EU Member States or specified subset)
8. Mandate specifies: territory, scope of authority, duration, termination conditions
9. Representative ≠ DPO for same entity (or conflict documented and justified)
10. Mandate reviewed and renewed within last 12 months (or confirmed indefinite)

Transparency (Items 11–16)

11. Privacy notice updated: Art.13(1)(a) — representative name + address + contact
12. Privacy notice updated: Art.14(1)(a) — indirect data sources include representative
13. Cookie banner / consent layer identifies representative where controller is named
14. In-app privacy disclosures (mobile, SaaS dashboard) include representative details
15. Website footer or "Legal" page lists representative as distinct from DPO contact
16. Representative contact details are in the EU's official language of the member state where established (or English where accepted)

Data Subject Rights Routing (Items 17–20)

17. DSAR intake form/email accepts submissions via representative channel
18. Internal SLA: representative routes DSARs to controller within 3 business days
19. Art.12(3) one-month deadline tracked from date representative receives request
20. Extension (Art.12(3)(b)) requires controller authorisation, not representative unilateral action

SA Cooperation (Items 21–23)

21. Representative has documented procedure for receiving SA correspondence
22. SA inquiry routing reaches controller DPO and legal team within 1 business day
23. Representative can facilitate Art.58(1)(b) inspection access if required

Records and Monitoring (Items 24–25)

24. Art.30 RoPA record includes representative name, address, and contact details
25. Annual review: confirm representative still active, mandate not expired, privacy notices current

12-Week Implementation Timeline (Non-EU Companies)

Week	Milestone
1–2	Art.3(2) analysis — confirm territorial scope + Art.27(2) exception assessment
2–3	Representative candidate selection and commercial agreement
3–4	Written mandate drafted, reviewed by controller's legal team, signed
4–5	Privacy notice updated across all products (web, mobile, SaaS dashboard)
5–6	Art.30 RoPA updated with representative reference
6–7	DSAR intake routing tested — end-to-end from representative to controller DPO
7–8	SA inquiry routing tested — simulated inquiry from DE/FR/NL SA
8–9	UK GDPR representative appointed (if UK users also served)
9–10	Staff training — customer support team informed of representative role
10–11	Internal audit: all 25 checklist items verified
11–12	Management sign-off; representative relationship confirmed active

Common Compliance Failures

Exception assumed without documentation — claiming Art.27(2) applies without a written risk assessment covering all three conditions simultaneously. SAs treat an undocumented exception claim as no exception.
Subsidiary misidentified as representative — a non-EU parent assigns its US staff member as "EU representative" without checking that person is EU-established. Residency in the EU (even temporary) does not equal establishment.
Representative email in privacy notice, but no routing system — the representative's email is listed, but the representative has no contractual process for forwarding DSARs or SA inquiries, causing deadline breaches.
Privacy notice updated, RoPA not updated — a common split: the public-facing notice is corrected but the Art.30 record (which the SA may request under Art.58(1)(a)) still omits the representative.
UK company serving EU users, no EU representative — post-Brexit UK companies frequently assume their existing UK compliance covers GDPR. It does not. The UK is a third country for GDPR purposes.
Single representative for EU + UK — using a Dublin-based Irish company as representative for both GDPR (correct) and UK GDPR (incorrect — UK requires a UK-established representative).

This post is part of the sota.io GDPR Chapter IV series. See also: GDPR Art.26: Joint Controllers | GDPR Art.28: Processor Obligations | EU-US DPF: Chapter V Transfers