Regingada
General Data Protection Regulation · Regulation (EU) 2016/679

EU Representative under Article 27 GDPR

Controllers and processors that have no establishment in the European Union must designate a representative in the Union — in writing — whenever Article 3(2) of Regulation (EU) 2016/679 (GDPR) applies to their processing: when they offer goods or services to data subjects who are in the Union, or monitor their behaviour as far as it takes place within the Union (Article 27(1) GDPR). Regingada UG (haftungsbeschränkt) takes on that named role under its own representation contract: point of contact for supervisory authorities and data subjects, documentation and records support — not legal advice.

GDPR EU representative service for non-EU SaaS providers, app publishers and online businesses serving customers or tracking users in the Union.

Software & appointed EU representation: Regingada UG (haftungsbeschränkt) · Legal advice exclusively: Kanzlei Theo Funk — separate mandate

Contact Regingada — representation & product
Scope

Who must appoint an EU representative under Article 27

Article 27(1) GDPR ties the duty to Article 3(2) GDPR: a controller or processor not established in the Union must designate a representative in the Union where its processing of personal data of data subjects who are in the Union relates to (a) the offering of goods or services to such data subjects in the Union — irrespective of whether a payment is required — or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Neither trigger requires an EU entity or EU revenue. For the offering limb, recital 23 GDPR looks at whether you envisage offering goods or services to data subjects in the Union — mere accessibility of a website is not sufficient, but factors such as EU languages or currencies with the possibility of ordering, or the mentioning of customers in the Union, make it apparent. For the monitoring limb, recital 24 GDPR points to the tracking of natural persons on the internet, including the subsequent use of profiling techniques to analyse or predict personal preferences, behaviours and attitudes.

If Article 3(2) applies and no exemption under Article 27(2) is available, the designation must be made in writing (Article 27(1) GDPR) — and the representative must be established in one of the Member States where the data subjects concerned are (Article 27(3) GDPR).

The exemptions — Article 27(2) GDPR

The duty does not apply to processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) GDPR or processing of personal data relating to criminal convictions and offences referred to in Article 10 GDPR, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing (Article 27(2)(a) GDPR). It also does not apply to public authorities or bodies (Article 27(2)(b) GDPR).

The three conditions of the first exemption are cumulative. For a live online service that continuously serves or tracks people in the Union, processing is rarely “occasional” — which is why most non-EU SaaS and app businesses within Article 3(2) end up needing the representative.

The role

What the EU representative does

The representative is mandated by the controller or processor to be addressed in addition to or instead of the controller or processor — in particular by supervisory authorities and by data subjects — on all issues related to the processing, for the purposes of ensuring compliance with the GDPR (Article 27(4) GDPR). Unlike most other EU representative regimes, Article 27 makes the representative an address for individuals, not only for authorities.

  • Named address in the Union — receipt of supervisory-authority correspondence and data-subject requests directed at the representative
  • Documented routing — timely forwarding to the people you designate, with a defined escalation path and an audit trail
  • Records — the representative maintains its own record of processing activities under Article 30(1) and (2) GDPR, kept in sync with yours
  • Disclosure support — the representative’s identity and contact details belong in your privacy notices (Articles 13(1)(a) and 14(1)(a) GDPR)

Recital 80 GDPR states that the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor — while Article 27(5) GDPR makes clear that the designation is without prejudice to legal actions against the controller or processor themselves. That is why our representation contract defines duties, information flows and escalation paths precisely.

There is no notification of the representative to a supervisory authority under the GDPR: the designation is documented in the written mandate, in your privacy notices and in the records of processing activities.

Appointment

How the appointment works

Three steps take you from scoping to a disclosed and documented representative function.

  1. Scoping

    A guided question set — the same wizard you can start on this page — records your establishment, your Article 3(2) triggers and the Article 27(2) exemption conditions.

    Deliverablea structured self-assessment record of your Article 27 status — not a legal determination; for that, the law firm advises under a separate mandate.

  2. Written mandate

    We prepare the written designation Article 27(1) GDPR requires, together with the representation contract that sets tasks, information channels and response times.

    Deliverablea draft written designation plus representation contract naming role, duties and information flows — model terms on request.

  3. Disclosure & go-live

    No authority notification is needed under the GDPR — instead, your public disclosures and records are brought in line and the operational contact channel goes live.

    Deliverablea disclosure package: representative contact block for your privacy notice (Articles 13(1)(a) and 14(1)(a) GDPR), Article 30 record entries, and a documented contact channel.

Why Regingada

A named role, held by a registered company.

Portrait of Theo Funk, Rechtsanwalt, founder of Regingada UG (haftungsbeschränkt)
“Article 27 is an operational role: supervisory authorities and data subjects must be able to reach someone in the Union who receives, routes and documents — reliably. Regingada holds that named role under its own contract. Legal judgment stays with my firm, under a separate mandate.”
Rechtsanwalt Theo Funk · Rechtsanwaltskammer Bamberg

Regingada UG (haftungsbeschränkt), HRB 12595, AG Bamberg

Appointed EU representative & software: Regingada UG (haftungsbeschränkt) — wholly owned by German attorney Theo Funk, no legal advice · Legal advice: independent law firm Kanzlei Theo Funk (RAK Bamberg) — separate mandate.

The same regulatory corpus powers the Regingada Compliance Suite — digital-twin software that maps the GDPR alongside the DSA, the AI Act, the DMA and NIS2.

From the Regingada Radar — we track what we represent

  • GDPRGDPR — Data Protection Impact Assessment (Art. 35)Concerns the thresholds and mandatory elements of the DPIA under Art. 35 GDPR.
  • DSADSA — clarification on points of contact (Art. 11)Concerns the authority-facing point of contact under Art. 11 DSA and its public information.
  • AI ActAI Act — prohibited practices (Chapter II)Relates to the catalogue of prohibited AI practices under Chapter II of the AI Act.
All entries →

Orientation, not legal advice.

Do not combine these roles

EU representative vs. data protection officer

Article 27 and Article 37 GDPR create different functions. One is an external address under your mandate; the other is an independent internal oversight role. They should stay separate.

EU representative (Art. 27 GDPR)Data protection officer (Art. 37 GDPR)
Legal basisArticle 27 GDPRArticles 37–39 GDPR
Who appointsNon-EU controllers and processors caught by Article 3(2) GDPRControllers and processors meeting the criteria of Article 37(1) GDPR — wherever established
Core functionAddress in the Union for supervisory authorities and data subjects, in addition to or instead of the company (Art. 27(4))Informs and advises, monitors compliance, cooperates with the supervisory authority (Art. 39(1))
PositionService provider acting on a written mandateIndependent — must not receive instructions regarding the exercise of the tasks (Art. 38(3))
Same person or company?No — see below.

The representative acts on your instructions and, per recital 80 GDPR, should be subject to enforcement proceedings in the event of your non-compliance — while the DPO must perform his or her tasks independently. In its Guidelines 3/2018 on the territorial scope of the GDPR, the European Data Protection Board does not consider the function of the representative compatible with the role of the data protection officer. If you need both, they should be two separate appointments — Regingada takes the Article 27 role only.

Changing providers

Switching your EU representative

Representative mandates change when providers leave the market, terms expire, or groups restructure. An orderly change has three parts — and none of them is complicated if the trail was kept properly.

  • Overlap, not gap — align the end of the old mandate with the new written designation (Article 27(1) GDPR) so there is no period without a representative in the Union
  • Update the disclosures — privacy notices must state the identity and contact details of the current representative (Articles 13(1)(a) and 14(1)(a) GDPR); the Article 30 records of processing are updated in parallel
  • Hand over the trail — open supervisory-authority or data-subject threads, the correspondence log and the representative’s Article 30 record move to the new representative, with a documented cut-over date

We take over existing Article 27 mandates with a structured handover — and if you ever leave, we hand over the same way. The audit trail is yours, not ours.

Typical setups

Three non-EU SaaS scenarios that trigger Article 27

The duty is easy to miss because it follows your EU users, not your corporate structure. Three patterns we see repeatedly:

  • Art. 3(2)(a) GDPR

    US SaaS with EU customers

    A SaaS company incorporated in the US, no EU entity, sells subscriptions to customers in the Union. Offering goods or services to data subjects in the Union triggers Article 3(2)(a) GDPR — irrespective of whether a payment is required. Free tiers count too.

  • Art. 3(2)(a) · recital 23

    App with EU users

    A mobile or web app reaches users in the Union. Mere accessibility is not sufficient (recital 23 GDPR) — but EU-targeted store listings, EU languages or currencies with the possibility of ordering, or marketing that mentions customers in the Union make the offering apparent.

  • Art. 3(2)(b) · recital 24

    Analytics & tracking

    Even without selling anything into the EU, tracking people there can trigger the duty: Article 3(2)(b) GDPR covers the monitoring of behaviour within the Union — recital 24 GDPR points to internet tracking with subsequent profiling to analyse or predict preferences, behaviours and attitudes. Analytics, session replay and ad personalisation live here.

Cost

What determines the cost

The engagement is priced by what the role actually has to carry: how many group companies the designation covers, the expected volume of supervisory-authority and data-subject contacts, documentation and records needs (Article 30 GDPR), whether the role is combined with DSA Article 13, AI Act or NIS2 representation (multi-regime setups reduce coordination overhead), and the response times we commit to.

Engagement terms on request.

FAQ

Frequently asked questions

Can our EU representative also be our data protection officer?

No — the roles should be kept separate. The representative is mandated to be addressed in addition to or instead of you (Article 27(4) GDPR), while the data protection officer must act independently and must not receive instructions regarding the exercise of his or her tasks (Article 38(3) GDPR). In its Guidelines 3/2018 on the territorial scope of the GDPR, the European Data Protection Board does not consider the function of the representative compatible with the role of the data protection officer.

Which exemptions does Article 27(2) GDPR provide?

Two. First, processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) GDPR or processing of personal data relating to criminal convictions and offences referred to in Article 10 GDPR, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing. Second, processing by a public authority or body. The conditions of the first exemption are cumulative — for a live online service, processing is rarely occasional.

Do we have to name the representative in our privacy policy?

Yes. Where a representative has been designated, the identity and contact details of the representative are part of the information you must provide to data subjects (Articles 13(1)(a) and 14(1)(a) GDPR). We supply the representative contact block for your privacy notice as part of onboarding.

Can the representative be the target of enforcement?

Recital 80 GDPR states that the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor. At the same time, Article 27(5) GDPR makes clear that the designation is without prejudice to legal actions which could be initiated against the controller or the processor themselves. Our representation contract reflects that by defining duties, information flows and escalation paths precisely.

How do we change an existing EU representative?

By aligning the end of the old mandate with a new written designation (Article 27(1) GDPR), updating your privacy notices (Articles 13(1)(a) and 14(1)(a) GDPR) and your records of processing activities (Article 30 GDPR), and handing over open authority or data-subject threads together with the correspondence log. We support structured handovers in both directions.

Does the representative have to be registered with a supervisory authority?

No. The GDPR provides no registration of the representative with a supervisory authority — the designation lives in the written mandate, your privacy notices and the records of processing activities. That differs from NIS2, where certain entities must submit registration information that includes the details of their representative designated pursuant to Article 26(3) (Article 27 of Directive (EU) 2022/2555).

Can one representative act for several group companies?

Yes. Article 27 GDPR attaches the duty to each controller or processor, but nothing in the provision prevents several companies of a group from designating the same representative — each entity makes its own written designation, and the representative must be established in one of the Member States where the data subjects concerned are (Article 27(3) GDPR). Covering a group under one mandate is a common setup and one of the cost factors on this page.

Is this legal advice?

Regingada UG (haftungsbeschränkt) is the software and EU-representation company, wholly owned by attorney Theo Funk. It does not provide legal advice. For legal advice under a separate mandate, please see the independent law firm Kanzlei Theo Funk.

What does it cost?

The engagement depends on how many group companies the designation covers, the expected volume of supervisory-authority and data-subject contacts, documentation and records needs, whether the role is combined with DSA Article 13, AI Act or NIS2 representation (multi-regime setups reduce coordination overhead), and agreed response times. Engagement terms on request.

Appoint your Article 27 EU representative.

Start with the scoping check — it records your Article 3(2) triggers and Article 27 status and leads straight into the representation request.

Legal advice on representative obligations — Kanzlei Theo Funk (separate mandate)