You are outside the EU. The GDPR still applies to you.
GDPR Article 27 — EU Representation for Non-EU Controllers and Processors.
8 min read·2026-01-22
If your startup is based outside the EU and you collect data from people in the EU, you probably need an EU representative. This is not optional. It is a legal obligation under the GDPR.
Here is what Article 27 requires and what you need to do.
When does this apply?
Article 3(2) of the GDPR extends its reach beyond EU borders. If your company:
Offers goods or services to people in the EU (even for free), or
Monitors behaviour of people in the EU (analytics, tracking, profiling)
...then the GDPR applies to you. Article 27(1) then requires you to designate a representative in writing in one of the EU Member States where your data subjects are located.
The one exception — and why it probably does not apply to you
Article 27(2) provides a narrow exemption. You do not need a representative if:
Your processing is occasional, AND
You do not process special categories of data (Article 9) or criminal conviction data (Article 10) on a large scale, AND
The processing is unlikely to result in a risk to the rights of individuals.
All three conditions must be met. If your startup runs a SaaS product with EU users, collects personal data regularly, or processes any sensitive data — this exemption does not apply.
Source: GDPR Article 27(2)(a)–(b), referencing Articles 9 and 10
Where must the representative be located?
The representative must be established — physically, not just on paper — in a Member State where your data subjects are.
If you serve users across multiple EU countries, choose the state with your largest user base.
Source: GDPR Article 27(3)
What does the representative actually do?
The representative acts as your contact point within the EU. Their mandate must be in writing. They must be authorised to:
Receive and respond to inquiries from supervisory authorities (data protection regulators).
Receive and respond to requests from data subjects (your users).
Handle all communications related to your data processing activities.
The representative must have sufficient knowledge of your processing operations to respond effectively.
Source: GDPR Article 27(4)
A representative does not shield you from liability
This is important. Appointing a representative does not replace your own obligations. Legal proceedings can still be initiated directly against you as the controller or processor.
The representative is an additional compliance layer — not a substitute.
Source: GDPR Article 27(5)
Your next steps
What you should do now.
01
Determine if Article 3(2) applies to your processing activities.
02
Assess the Article 27(2) exemption — document why it does or does not apply.
03
Appoint a representative in the EU Member State where most of your data subjects are.
04
Formalise the mandate in writing — specify the scope of authority.
05
Update your privacy notice to include the representative’s contact details.
Sources
GDPR full textRegulation (EU) 2016/679 (CELEX 32016R0679)
Article 27(1)Designation requirement for non-EU controllers/processors
Article 27(2)Exemption for occasional, low-risk processing
Article 27(3)Representative location requirement
Article 27(4)Representative mandate and role
Article 27(5)Liability remains with controller/processor
Article 3(2)Territorial scope — EU reach to non-EU entities
Article 9Special categories of personal data
Article 10Criminal conviction and offence data
RuleMesh data references
graphs/articles/32016R0679_article_27Article structure, 5 paragraphs, 33 keywords, compliance tips per paragraph.
Paragraph 27-1IT functions: Data Management, Third-Party Management.
Paragraph 27-2IT functions: Data Management, Risk Management.
Paragraph 27-3IT functions: Data Management, Third-Party Management.
Paragraph 27-4IT functions: Data Management, Third-Party Management, Training & Awareness.
You Are Outside the EU. The GDPR Still Applies to You.
GDPR Article 27 — EU Representation for Non-EU Controllers and Processors.
8 min read·Published 2026-01-22
If your startup is based outside the EU and you collect data from people in the EU, you probably need an EU representative. This is not optional. It is a legal obligation under the GDPR.
Here is what Article 27 requires and what you need to do.
When does this apply?
Article 3(2) of the GDPR extends its reach beyond EU borders. If your company:
Offers goods or services to people in the EU (even for free), or
Monitors behaviour of people in the EU (analytics, tracking, profiling)
...then the GDPR applies to you. Article 27(1) then requires you to designate a representative in writing in one of the EU Member States where your data subjects are located.
The one exception — and why it probably does not apply to you
Article 27(2) provides a narrow exemption. You do not need a representative if:
Your processing is occasional, AND
You do not process special categories of data (Article 9) or criminal conviction data (Article 10) on a large scale, AND
The processing is unlikely to result in a risk to the rights of individuals.
All three conditions must be met. If your startup runs a SaaS product with EU users, collects personal data regularly, or processes any sensitive data — this exemption does not apply.
Source: GDPR Article 27(2)(a)–(b), referencing Articles 9 and 10
Where must the representative be located?
The representative must be established — physically, not just on paper — in a Member State where your data subjects are.
If you serve users across multiple EU countries, choose the state with your largest user base.
Source: GDPR Article 27(3)
What does the representative actually do?
The representative acts as your contact point within the EU. Their mandate must be in writing. They must be authorised to:
Receive and respond to inquiries from supervisory authorities (data protection regulators).
Receive and respond to requests from data subjects (your users).
Handle all communications related to your data processing activities.
The representative must have sufficient knowledge of your processing operations to respond effectively.
Source: GDPR Article 27(4)
A representative does not shield you from liability
This is important. Appointing a representative does not replace your own obligations. Legal proceedings can still be initiated directly against you as the controller or processor.
The representative is an additional compliance layer — not a substitute.
Source: GDPR Article 27(5)
What you should do now
01
Determine if Article 3(2) applies to your processing activities.
02
Assess the Article 27(2) exemption — document why it does or does not apply.
03
Appoint a representative in the EU Member State where most of your data subjects are.
04
Formalise the mandate in writing — specify the scope of authority.
05
Update your privacy notice to include the representative’s contact details.
This content is regulatory guidance, not legal advice. Always consult qualified legal counsel for your specific situation.
Sources
Reference
Citation
GDPR full text
Regulation (EU) 2016/679 (CELEX 32016R0679)
Article 27(1)
Designation requirement for non-EU controllers/processors
Article 27(2)
Exemption for occasional, low-risk processing
Article 27(3)
Representative location requirement
Article 27(4)
Representative mandate and role
Article 27(5)
Liability remains with controller/processor
Article 3(2)
Territorial scope — EU reach to non-EU entities
Article 9
Special categories of personal data
Article 10
Criminal conviction and offence data
RuleMesh data references
Graph
Data used
graphs/articles/32016R0679_article_27
Article structure, 5 paragraphs, 33 keywords, compliance tips per paragraph.
Paragraph 27-1
IT functions: Data Management, Third-Party Management.
Paragraph 27-2
IT functions: Data Management, Risk Management.
Paragraph 27-3
IT functions: Data Management, Third-Party Management.
Paragraph 27-4
IT functions: Data Management, Third-Party Management, Training & Awareness.
Paragraph 27-5
IT functions: Risk Management, Third-Party Management.
Article 27 as structured requirements
RuleMesh publishes Article 27(1)–(5) as IT requirements, mapped to governance, third-party, and communication controls.