gavelRegulatory Advisory 027

You Are Outside the EU. The GDPR Still Applies to You.

GDPR Article 27 — EU Representation for Non-EU Controllers and Processors. If your startup is based outside the EU and you collect data from people in the EU, you probably need an EU representative. This is a legal obligation.

public

When Does This Apply?

Article 3(2) of the GDPR extends its reach beyond EU borders. If your company:

  • check_circle
    Offers goods or services to people in the EU (even for free).
  • check_circle
    Monitors behaviour of people in the EU (analytics, tracking, profiling).

...then the GDPR applies to you. Article 27(1) then requires you to designate a representative in writing in one of the EU Member States where your data subjects are located.

location_onLocation

The representative must be established — physically, not just on paper — in a Member State where your data subjects are. If you serve users across multiple EU countries, choose the state with your largest user base.

assignment_indWhat They Do

The representative acts as your contact point. They must be authorised to respond to inquiries from supervisory authorities and data subjects, and handle all communications related to data processing.

shield

A Representative Does Not Shield You from Liability

Appointing a representative does not replace your own obligations. Legal proceedings can still be initiated directly against you as the controller or processor. The representative is an additional compliance layer — not a substitute.

warning

The One Exception

Article 27(2) provides a narrow exemption. You do NOT need a representative if ALL THREE apply:

  • history

    Frequency

    Occasional processing only

  • dataset

    Sensitivity

    No large-scale sensitive data

  • gpp_maybe

    Risk Profile

    Unlikely to result in risk

If you run a SaaS product with EU users, this exemption likely does not apply.

Protocol Mapping

27(1)

Governance

Written Designation

27(3)

Infrastructure

EU Establishment

27(4)

Communication

Authority Liaison

What You Should Do Now

STEP 01

Determine if Article 3(2) applies to your processing activities.

STEP 02

Assess the Article 27(2) exemption & document the decision.

STEP 03

Appoint a representative in the relevant EU Member State.

STEP 04

Formalise the mandate in writing with defined authority.

STEP 05

Update privacy notice with representative details.

Statutory References

Regulation (EU) 2016/679
RefCitation / Role
Article 27(1)-(5)Designation, Exemption, Location, Mandate, and Liability
Article 3(2)Territorial scope — EU reach to non-EU entities
Article 9 & 10Special categories & criminal conviction data thresholds

Legal Handover Protocol

RuleMesh reports are engineered for direct handoff to your legal representative or DPO. Validate your extraterritorial posture with auditable documentation.

sendGet Started Freearrow_backBack to Reports

This content is regulatory guidance, not legal advice. RuleMesh Technical Advisory data references used: graphs/articles/32016R0679_article_27.