One requirement consistently surprises non-EU businesses: even with no office in Europe, GDPR may oblige you to appoint a local representative. It follows directly from the regulation’s extraterritorial reach, and it is a concrete, often-missed part of GDPR compliance for international companies.
This guide explains what an EU representative is, when you need one, the exemptions, the role and its limits, and the separate UK requirement after Brexit.
What an EU representative is
If your organisation is based outside the EU but falls within GDPR’s scope, you generally have to appoint an EU representative under Article 27. The representative is a person or company, established in an EU member state, who acts as a local point of contact for individuals and supervisory authorities.
The idea is simple: if a regulator or an EU resident needs to reach you about data protection, they should not have to chase a company on another continent. The representative gives them someone local to approach.
When you need one
You need an EU representative if you have no establishment in the EU but are caught by GDPR’s extraterritorial scope — that is, you offer goods or services to people in the EU, or monitor their behaviour.
So a US, Indian or Australian company with EU customers or website users, and no EU office, typically needs to appoint a representative.
Free resource
The Ultimate Guide to GDPR
Confirm whether you need an EU or UK representative and set it up right.
The exemptions
There is a limited exemption. You do not need a representative if your processing is occasional, does not include large-scale special category or criminal data, and is unlikely to result in a risk to individuals. Public authorities are also exempt.
The exemption is narrow, though — most businesses that regularly handle EU customers’ data will not qualify, so do not assume it applies.
Where the representative must be
The representative must be established in one of the member states where the individuals whose data you process are located. If your EU customers are spread across several countries, you choose one where a significant number of them are.
This ensures the contact point is genuinely within the EU and reachable under EU law.
What the representative does
The representative acts as the contact point for supervisory authorities and data subjects on all issues relating to your processing. They are mandated by you to be addressed in addition to, or instead of, you, and they typically maintain a copy of your Record of Processing Activities and make it available to regulators.
In effect, they are your local face for data protection in the EU — not a decision-maker about your data, but a reachable representative.
Naming the representative
You must name the representative and make their details easily accessible to individuals — usually in your privacy notice — so people know who to contact. The appointment should be in writing, in a mandate that sets out their role.
An unnamed or hidden representative defeats the purpose; the whole point is that people can find and reach them.
Representative vs DPO
The representative is often confused with the Data Protection Officer, but they are different roles. A DPO is an independent adviser and monitor of compliance; a representative is a local contact point. You might need both, one, or neither depending on your situation.
A non-EU company doing large-scale monitoring, for instance, could need a DPO and an EU representative.
Liability and the representative
Appointing a representative does not transfer your liability — you remain responsible for your GDPR compliance. The representative can, however, be addressed by regulators and individuals, and may face enforcement in connection with your processing, which is why representative providers take the role seriously.
Think of the representative as a conduit and local accountability point, not a shield that absorbs your obligations.
The UK representative
Brexit created a mirror requirement. If you are outside the UK but process UK residents’ data within scope of the UK GDPR, you generally need a UK representative as well, established in the UK.
So a US company serving both EU and UK customers, with no establishment in either, may need two representatives — one in the EU and one in the UK.
How to appoint one
You can appoint an in-house entity (such as an EU group company) or, more commonly, use a specialist representative service. The appointment is a written mandate; the provider then handles correspondence from regulators and individuals and maintains the required records.
Specialist services are popular because they offer EU presence and expertise without the cost of setting up your own entity.
Common mistakes
Typical failings include assuming you don’t need a representative because you have no EU office (that is precisely when you might), relying on the narrow exemption when it doesn’t apply, not naming the representative in the privacy notice, and forgetting the separate UK requirement.
Each is easily avoided once you have assessed your scope properly.
Where it fits in your programme
The representative requirement flows directly from scope: once you confirm GDPR applies to you and you have no EU establishment, the representative is part of meeting it. It pairs naturally with your scope assessment, privacy notice and Record of Processing Activities.
Handled together, these turn “we’re a non-EU company in scope” into a coherent, compliant setup.
How ISpectra helps
Determining whether you need an EU or UK representative — and appointing one correctly — is a practical step in GDPR compliance for any non-EU business. ISpectra Technologies helps organisations assess their scope, decide whether the requirement and exemptions apply, and put the right representative arrangements and privacy-notice disclosures in place.
If you operate from outside Europe but serve EU or UK customers, a short review will confirm what you need.
In one paragraph
An EU representative is a local contact point that organisations outside the EU must appoint under Article 27 when they fall within GDPR’s scope but have no EU establishment — that is, they target or monitor people in the EU. The representative, based in a member state where your data subjects are, handles contact from regulators and individuals, often holds a copy of your Record of Processing Activities, and must be named in your privacy notice. A narrow exemption covers occasional, low-risk processing. The representative is not a DPO and does not absorb your liability. Since Brexit, a separate UK representative may also be required, so non-EU companies serving both markets can need two.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
A quick scenario
Picture a US-based SaaS company with thousands of users across Germany, France and Spain, and no office anywhere in Europe. Because it offers its service to people in the EU, it is squarely within GDPR’s scope under Article 3, and with no EU establishment it cannot rely on having a local presence already. Its processing is regular and central to the business — not occasional — so the narrow exemption does not help. The conclusion is clear: it must appoint an EU representative, established in one of those member states where a significant number of its users are, and name that representative in its privacy notice.
If the same company also has UK users, it needs a UK representative too. Many businesses in this position use a specialist representative service in each territory, which provides the local presence, handles correspondence from regulators and data subjects, and maintains the required records — far cheaper than establishing their own EU and UK entities. The key lesson is that “we have no European office” is not a reason the rule does not apply; it is precisely the situation the representative requirement is designed for.