Article 27: Representatives of controllers or processors not established in the Union

If you are a controller or processor not established in the EU, and your processing falls under GDPR’s extraterritorial scope (Article 3(2)), you must appoint a EU-based representative in writing and be able to show regulators and data subjects who that representative is and how to contact them. This is a documentation-and-operating-model requirement, not a “paper-only” formality. (Regulation (EU) 2016/679, Article 27)

Key takeaways:

• Trigger check first: confirm whether Article 3(2) applies to your processing, then document the decision.
• Appoint “in writing” and operationalize: define responsibilities, intake paths, and escalation to your privacy function.
• Keep evidence ready: appointment letter/contract, public-facing notices, and a working workflow for regulator and data subject communications.

Article 27 is one of the fastest ways for an EU regulator, customer, or procurement team to spot a gap in a non-EU company’s GDPR program: if Article 3(2) applies, they expect a named EU representative with documented appointment and clear contact paths. The operational goal is simple. A regulator or data subject must be able to reach a responsible party in the Union who can route requests to your organization and support supervisory authority engagement.

For a CCO or GRC lead, the work breaks into three tracks: (1) confirm and record scope (are you in Article 3(2) territory, and are you acting as controller, processor, or both?); (2) appoint the representative “in writing” and integrate the rep into your privacy operating procedures; and (3) publish the representative details in the right places and retain evidence that the arrangement works in practice.

Treat this like a third-party risk and accountability control. You are designating an external party to act as a contact point, so you need role clarity, contractual guardrails, and a tested workflow. The rest of this page is requirement-level guidance you can execute quickly.

Regulatory text

Requirement (excerpt): “Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.” (Regulation (EU) 2016/679, Article 27)

What the operator must do

1. Decide whether Article 3(2) applies to the processing at issue (your extraterritorial GDPR applicability determination), and record that decision so it is auditable.
2. If Article 3(2) applies, appoint an EU representative “in writing.” That means a formal written instrument (contract or appointment letter) identifying the representative and defining the appointment.
3. Run this as an operating control, not a one-time legal memo. Your representative needs an intake and escalation path for regulator communications and data subject contact so inquiries do not stall.

Plain-English interpretation

If you do business that brings you into GDPR scope without having an EU establishment, the GDPR expects you to appoint a point-of-contact in the EU and to document that appointment. The practical reason is accountability: regulators and data subjects need a reliable EU-based contact that can reach you and help move requests forward.

This is not the same as appointing a Data Protection Officer (DPO). Article 27 is specifically about a representative in the Union for organizations not established in the Union when Article 3(2) applies. (Regulation (EU) 2016/679, Article 27)

Who it applies to (entity and operational context)

In-scope entities

• Controllers not established in the Union whose processing triggers Article 3(2).
• Processors not established in the Union whose processing triggers Article 3(2).
  (Regulation (EU) 2016/679, Article 27)

In-scope operational contexts (what to look for internally)

You should treat Article 27 as “possibly triggered” if your organization:

• Provides products or services to people in the EU, or
• Monitors behavior of people in the EU,
  and you do so without an EU establishment (these are typical Article 3(2) trigger patterns you should assess and document as part of your scope decision). (Regulation (EU) 2016/679)

Roles matter

Your obligations and messaging differ depending on whether you act as:

• Controller (you decide purposes/means), or
• Processor (you process on behalf of a controller), or
• Mixed role across products/processing activities.

Operationally, you need a role-and-scope register so your representative appointment is tied to the right legal entity, product(s), and processing activities. This prevents a common failure mode: appointing a rep for “the company” while a different affiliate actually contracts with EU users.

What you actually need to do (step-by-step)

Step 1: Make and document the Article 3(2) applicability decision

Create a short, auditable decision record that answers:

• Which legal entity is the controller/processor for EU personal data?
• Do we have an EU establishment? If not, why not?
• What processing activities might be in Article 3(2) scope?
• Conclusion: Article 3(2) applies / does not apply (for identified activities), with rationale.

Operator tip: Keep this as a controlled document in your GRC system and tie it to your data map / ROPA inputs if you maintain them. Auditors want traceability from scope decision to control execution.

Step 2: Select an EU representative as a managed third party

Treat the representative like a third party with a defined service:

• Due diligence: confirm EU presence, ability to handle regulator correspondence, language coverage needed, security expectations for communications, and record retention.
• Conflict and independence check: confirm the rep can act for you without conflicts (especially if they represent many firms in your sector).
• Service model: define channels (email, ticketing, portal) and SLAs as contractual obligations you can enforce.

Where Daydream fits naturally: many teams track this as a third-party “privacy critical” relationship. Daydream’s third-party inventory and evidence packet approach helps you keep the appointment instrument, scope decision, and ongoing control outputs together so you can answer customer diligence fast.

Step 3: Execute the “in writing” appointment

Your written appointment (contract or letter) should, at minimum, be explicit about:

• The appointing entity (full legal name) and the representative entity (full legal name).
• The scope of appointment (which processing activities / products / affiliates are covered).
• Responsibilities: receiving communications from supervisory authorities and data subjects, and routing to you.
• Cooperation and escalation: how and when they notify you, and who in your org is accountable.
• Confidentiality and security expectations for personal data in communications.
• Term and termination, including transition support and notice requirements.

The legal requirement is the written designation itself. (Regulation (EU) 2016/679, Article 27)

Step 4: Operationalize intake, routing, and accountability

Build a simple operating procedure that answers:

• Where does the representative send inbound items (shared mailbox, ticketing queue, privacy portal)?
• Who triages (Privacy Ops, Legal, DPO if applicable, Security for incidents)?
• What types of inbound do you expect (data subject contacts, regulator inquiries, incident-related questions)?
• How do you track status to closure (case management fields, timestamps, owner)?
• What is the escalation path if you miss a response window (internal escalation to CCO/GC)?

Control design goal: you should be able to prove this works through artifacts (case logs, test records, communications).

Step 5: Publish representative details where stakeholders will look

Even though this page focuses on the appointment obligation, operational readiness includes making the representative discoverable. In practice, align your public-facing notices and contact points so:

• Data subjects can find the representative contact in your privacy notice (and other relevant notices).
• Your internal teams (Support, Trust, Sales, Security) know where to send EU privacy inquiries.

Keep screenshots or exports of the notice pages as evidence of publication at a point in time.

Step 6: Monitor and re-confirm scope

Add triggers that force a re-check of Article 27 coverage:

• New EU market entry, new EU-targeted product, new tracking/monitoring feature.
• M&A, affiliate restructuring, contracting entity changes.
• Significant processing changes, new data categories, new processing purposes.
• Termination or change of representative service.

Required evidence and artifacts to retain

Maintain an “Article 27 evidence packet” that a regulator or customer auditor can digest quickly:

1. Scope decision record (Article 3(2) applicability, entity/role determination).
2. Signed written appointment (contract/letter) naming the EU representative. (Regulation (EU) 2016/679, Article 27)
3. Representative third-party file: due diligence notes, security review, onboarding checklist, contacts.
4. Operating procedure: intake, triage, escalation, and ownership (RACI is ideal).
5. Publication evidence: privacy notice excerpt and screenshot showing representative contact.
6. Operational proof: case log extracts (redacted), test email/ticket results, periodic checks that the contact channel works.
7. Exceptions register: if any business unit claims out-of-scope, record why and who approved.

Common exam/audit questions and hangups

Expect questions like:

• “Show your Article 3(2) analysis and why Article 27 applies or does not apply.”
• “Who is your EU representative? Provide the written designation.” (Regulation (EU) 2016/679, Article 27)
• “Which legal entity appointed the representative, and which processing activities does it cover?”
• “How do regulator communications get routed and tracked? Show evidence of a working workflow.”
• “Where is the representative listed in your privacy notice? Show me.”

Common hangup: teams can produce a contract but cannot show a functioning operating process. Auditors read that as a control that exists on paper only.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: appointing a rep without documenting Article 3(2) scope.
   Avoidance: require a scope memo as a gating item for the appointment and renewals.

2. Mistake: wrong contracting entity signs.
   Avoidance: tie the signature block to your role-and-scope register and your customer contracting entity.

3. Mistake: the representative mailbox forwards into a black hole.
   Avoidance: integrate the rep’s intake into your privacy case management process and run periodic tests.

4. Mistake: unclear processor vs controller coverage.
   Avoidance: list the role per product/processing activity in a register and reference it in the appointment scope.

5. Mistake: no offboarding plan.
   Avoidance: contract for transition support, and pre-stage internal notice updates and comms templates.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this page, so this section focuses on practical risk. Article 27 issues often surface through:

• Customer/vendor due diligence (procurement asks who your EU rep is).
• Regulator correspondence that cannot find a reliable EU contact.
• Data subject complaints that trigger supervisory authority follow-up.

Operational risk is less about the appointment document itself and more about responsiveness. If your representative is named but cannot route requests into your organization, you create unnecessary regulatory friction and reputational risk.

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and appoint)

• Create the Article 3(2) applicability decision record and get Legal/Privacy sign-off.
• Build a role-and-scope register (controller vs processor, data categories, systems).
• Select an EU representative as a third party and complete onboarding due diligence.
• Execute the written appointment instrument. (Regulation (EU) 2016/679, Article 27)

Days 31–60 (operationalize and publish)

• Write and approve the operating procedure (intake, triage, escalation, owners).
• Set up case management routing (ticket queue, shared mailbox, or portal).
• Update privacy notice/contact pages to include representative details; capture publication evidence.
• Run a tabletop test: simulated regulator email + simulated data subject inquiry routed via the representative.

Days 61–90 (prove operation and harden controls)

• Run periodic tests of the rep contact channel; log results and remediation.
• Add triggers into product launch, DPIA/intake, and third-party onboarding to re-check Article 27 scope.
• Create an “evidence packet” template and store artifacts on a recurring cadence.
• If you use Daydream, centralize the scope decision, rep contract, notice evidence, and test logs in one control record for faster audits and customer requests.

Frequently Asked Questions

If we have no office in the EU, do we always need an EU representative?

No. You need an EU representative when your processing falls under GDPR’s Article 3(2) scope and you are not established in the Union. Document the Article 3(2) decision before you treat Article 27 as required. (Regulation (EU) 2016/679, Article 27)

Does Article 27 apply to processors as well as controllers?

Yes. The text applies to “the controller or the processor” when Article 3(2) applies. Your written appointment should match your role for each processing activity. (Regulation (EU) 2016/679, Article 27)

What does “designate in writing” mean in practice?

Use a signed contract or appointment letter that identifies the EU representative and the appointing legal entity, and that clearly states the scope of the designation. Keep it in an audit-ready evidence packet. (Regulation (EU) 2016/679, Article 27)

Can our law firm be the EU representative?

Article 27 requires a “representative in the Union” appointed in writing; it does not, in the excerpt provided, restrict the role to a particular type of organization. Confirm fit through due diligence and define the operating workflow so inquiries do not stall. (Regulation (EU) 2016/679, Article 27)

How do we operationalize the representative so this isn’t just a contract on file?

Create a documented intake and escalation procedure, connect the representative’s contact channel to your case management workflow, and retain proof that routing works (test logs, redacted case records).

What evidence should we expect customers to ask for during due diligence?

Many will ask for the name and contact details of your EU representative plus proof of written appointment, and they may request to see where it appears in your privacy notice. Keep a packaged evidence set so Sales and Security do not scramble.