Article 27: Representatives of controllers or processors not established in the Union

If your organization is not established in the EU but falls under GDPR’s extraterritorial scope (Article 3(2)), you must appoint a representative in the Union in writing and be able to prove that appointment. Operationalize Article 27 by confirming Article 3(2) applicability, selecting an EU-based third party to act as representative, documenting the designation, and embedding the representative into your data subject and regulator contact workflows. (Regulation (EU) 2016/679, Article 27)

Key takeaways:

• First decision: confirm Article 3(2) applies to your processing; Article 27 only triggers “where Article 3(2) applies.” (Regulation (EU) 2016/679, Article 27)
• You need written designation and operational readiness, not a symbolic appointment. (Regulation (EU) 2016/679, Article 27)
• Keep an evidence packet: role-and-scope register, appointment record, procedures, and tested communications paths.

Article 27 is a practical requirement: if you are a controller or processor outside the EU and your activities bring you into GDPR’s extraterritorial scope, you need a named EU-based representative and you need the appointment in writing. The representative becomes your formal point of contact in the Union for GDPR-related communications. (Regulation (EU) 2016/679, Article 27)

For a Compliance Officer, CCO, or GRC lead, the operational challenge is rarely the legal concept. It is execution: identifying whether Article 3(2) applies across product lines, choosing a representative that can actually perform the role, wiring them into day-to-day privacy operations (data subject requests, supervisory authority correspondence, incident response triage), and keeping artifacts that hold up under customer diligence and regulator scrutiny.

This page treats Article 27 as a control implementation problem. You will get a scope test, a step-by-step operating procedure, a minimum evidence set, audit questions you should pre-answer, and a practical execution plan you can assign today. Source text is from EUR-Lex. (Regulation (EU) 2016/679, Article 27)

Requirement: Article 27 representative appointment (what the law requires)

Article 27’s core obligation is short and easy to misread: it does not say “consider appointing” or “have a contact email.” It says that where Article 3(2) applies, the controller or processor must designate a representative in the Union, and the designation must be in writing. (Regulation (EU) 2016/679, Article 27)

Treat this as a requirement to (1) make a documented scope determination and (2) maintain a written appointment that stands up as evidence.

Regulatory text

Excerpt (provided): “Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.” (Regulation (EU) 2016/679, Article 27)

Operator interpretation:

• If your processing triggers GDPR under Article 3(2), you must appoint an EU representative. (Regulation (EU) 2016/679, Article 27)
• “Designate in writing” means you need a formal written instrument (contract clause, letter of appointment, or equivalent) that identifies the representative, the appointing entity, and the effective date, and you must retain it as compliance evidence. (Regulation (EU) 2016/679, Article 27)
• The representative must be in the Union. Treat “in the Union” as an operational constraint when selecting a third party.

Plain-English interpretation (what a regulator or customer expects)

If you operate from outside the EU but interact with EU data subjects or EU market behavior in a way that brings you under GDPR’s reach, you must have an EU-based representative that can receive GDPR-related communications and route them to the right owners inside your organization. The representative appointment is only defensible if the representative can actually perform that contact function and you can show the written designation. (Regulation (EU) 2016/679, Article 27)

In practice, this requirement often surfaces through:

• Customer due diligence questionnaires asking “Do you have an EU representative under Article 27?”
• Data subject request workflows that require an EU point of contact
• Supervisory authority correspondence that cannot wait for internal routing debates

Who it applies to (entity + operational context)

You are in scope when all of the following are true:

1. You are not established in the EU, and
2. You act as a controller or processor, and
3. Article 3(2) applies to your processing (this is the explicit trigger in Article 27). (Regulation (EU) 2016/679, Article 27)

Operational contexts that commonly create scope ambiguity:

• Multi-entity corporate structures where a non-EU parent sells into the EU through resellers
• A non-EU processor supporting an EU controller, where contracting and billing entities differ from the operational service entity
• Product-led growth models where EU users sign up directly, but legal and privacy notices were authored for a non-EU context

Control objective: Maintain a reliable, reviewable role-and-scope determination for Article 27 across products/services and legal entities.

What you actually need to do (step-by-step)

Use the steps below as an implementable operating procedure you can assign to Legal + Privacy + GRC.

Step 1: Confirm Article 3(2) applicability and document it

Create a short “Article 27 applicability memo” that answers:

• Which legal entity(ies) are the controller and/or processor for EU-related processing?
• Which products/services involve EU data subjects (or otherwise trigger your Article 3(2) analysis)?
• What is the decision: “Article 27 required” or “not required,” with rationale.

Artifact: GDPR role-and-scope register for this requirement (entity, role, data categories, affected systems, and whether Article 27 applies). This maps directly to good practice controls you can defend in audit.

Step 2: Select an EU-based representative (third party) with operational capacity

Selection criteria you can enforce:

• Located in an EU Member State (meets “in the Union”). (Regulation (EU) 2016/679, Article 27)
• Willing to accept and route: data subject inquiries, supervisory authority communications, and formal notices.
• Can meet your response-time expectations (set these internally; regulators will not accept “we could not reach our representative” as a reason for silence).

Third-party risk angle: Treat the representative as a third party with a defined compliance service. Run onboarding with appropriate due diligence (contracting authority, confidentiality, secure communications channel, business continuity expectations). Keep it proportional; the key is defensible selection and workable operations.

Step 3: Designate the representative in writing

Create a written designation package that includes:

• Name and address of the representative entity in the EU
• The appointing controller/processor legal entity name
• Effective date and term
• Scope statement (which products/services or processing activities are covered)
• Communication and escalation paths (named inboxes, ticketing integration, incident hotline)
• Record retention expectations for communications handled by the representative

Artifact: Executed appointment agreement or letter of designation. Article 27 explicitly requires “in writing.” (Regulation (EU) 2016/679, Article 27)

Step 4: Wire the representative into your privacy operations

Make the appointment real by updating operational runbooks:

• DSAR workflow: Representative receives requests, verifies intake completeness, routes to your DSAR owners, tracks status.
• Regulator correspondence workflow: Representative logs communications, triggers internal legal review, tracks deadlines.
• Incident response workflow: Representative has an escalation path for GDPR-related inbound messages during an incident.

Control design tip: Build a single intake channel that your representative uses (a dedicated email alias feeding a case management tool) so you can produce an audit trail.

Step 5: Update your external-facing disclosures and contact points

Even if Article 27 is “done” contractually, customer trust and exam readiness depend on discoverability:

• Ensure your privacy notice and relevant support pages list the representative contact details in a consistent, controlled way (reduce drift between marketing site, app, and PDF notices).
• Align internal support scripts so frontline teams do not misroute EU inquiries.

(Your source pack only provides the core Article 27 excerpt; keep external notice updates consistent with your broader GDPR notice obligations in the full regulation text. (Regulation (EU) 2016/679))

Step 6: Test and evidence the control on a recurring cadence

At minimum, run tabletop tests:

• Send a simulated data subject inquiry to the representative and confirm routing, logging, and response ownership.
• Send a simulated supervisory authority letter and confirm legal triage and acknowledgment workflow.

Artifact: Evidence packet with dated test results, any issues found, and remediation notes.

Required evidence and artifacts to retain (audit-ready packet)

Maintain a single “Article 27 evidence packet” that includes:

1. Role-and-scope register

• Controller/processor role per in-scope processing
• Products/services, data categories, systems
• Article 3(2) applicability decision for each in-scope line

2. Decision record

• The written rationale that Article 27 is required (or not required) for each relevant entity/activity

3. Written designation

• Executed agreement/letter naming the EU representative (Regulation (EU) 2016/679, Article 27)

4. Operating procedure (SOP)

• Owners, triggers (new EU market launch, new EU customer segment, entity restructure), required approvals, and workflow steps

5. Operational proof

• Screenshots or exports from case management/ticketing showing representative intake and routing
• Tabletop test results and remediation items

6. Third-party onboarding file (proportional)

• Basic due diligence, confidentiality terms, security expectations for handling inquiries, and termination/transition plan

Common exam/audit questions and hangups

Expect these questions from auditors, customers, and external counsel:

• “Show me evidence that Article 3(2) applies and therefore you appointed a representative.”
  Hangup: teams jump to contracting without documenting the scope rationale. Article 27 is conditional. (Regulation (EU) 2016/679, Article 27)

• “Where is the written designation, and who signed it?”
  Hangup: appointment is referenced in email, MSA draft, or SOW that never got executed.

• “Which legal entity appointed the representative?”
  Hangup: the operating company processes data, but a different entity signs the designation.

• “What happens when the representative receives a regulator letter?”
  Hangup: no runbook, no ticketing, no proof of routing, no owner.

• “How do you keep the representative details current across public materials?”
  Hangup: privacy notice updates are ad hoc; contact details drift across pages and languages.

Frequent implementation mistakes (and how to avoid them)

1. Treating Article 27 as a checkbox contract
   Avoidance: require a routing test (simulated inquiry) as a go-live gate for the appointment.

2. No role clarity (controller vs processor) in the scope file
   Avoidance: maintain the role-and-scope register and tie it to your record of processing activities governance.

3. Entity mismatch (wrong legal entity named in the appointment)
   Avoidance: Legal signs off on a one-page entity map before signature.

4. Representative cannot perform operationally
   Avoidance: bake service expectations into the written designation and validate communication channels early.

5. No transition plan
   Avoidance: document how you will change representatives without losing historical communications or breaking published contact details.

Enforcement context and risk implications

Your provided source catalog includes no public enforcement cases specific to Article 27, so this page does not cite case outcomes.

Risk still matters operationally:

• Regulatory communications risk: If you cannot demonstrate a valid written appointment where Article 3(2) applies, you create avoidable friction in supervisory authority engagement. (Regulation (EU) 2016/679, Article 27)
• Customer diligence risk: Article 27 is a routine question in enterprise procurement. Weak evidence slows deals and triggers legal escalations.
• Operational resilience risk: Without a clear intake and routing mechanism, inbound rights requests and regulator notices can be missed or delayed.

Practical 30/60/90-day execution plan

Your program will move faster if you timebox decisions and force artifacts. Use this plan as a GRC workstream.

First 30 days (establish scope + make the decision)

• Build the Article 27 role-and-scope register across products and entities.
• Draft the Article 27 applicability memo and route it for Legal/Privacy approval.
• Define selection criteria for an EU representative third party and shortlist candidates.
• Draft the written designation template and internal SOP (owners, triggers, approvals).

Next 60 days (appoint + operationalize)

• Complete third-party onboarding and sign the written designation. (Regulation (EU) 2016/679, Article 27)
• Implement intake plumbing (email alias, ticket queue, escalation to Privacy/Legal).
• Update DSAR and regulator correspondence runbooks to include the representative.
• Update external contact disclosures where your broader GDPR notice program requires it. (Regulation (EU) 2016/679)

By 90 days (test + evidence + stabilize)

• Run at least one end-to-end test for a data subject inquiry and one for regulator correspondence; capture evidence and remediation actions.
• Add a recurring review trigger (org restructure, EU go-to-market change, new processing activity) and an annual refresh task for the evidence packet.
• Prepare a customer-facing “Article 27 response pack” (one-pager plus signed designation excerpt) for sales and security questionnaires.

Where Daydream fits: If you manage third-party compliance evidence across multiple GDPR requirements, Daydream can structure requirement-specific evidence packets (decision record, control outputs, exceptions, remediation) and keep them ready for audits and customer diligence, without rebuilding the same binder every cycle.

Frequently Asked Questions

Do we need an Article 27 representative if we are outside the EU but have EU customers?

Article 27 triggers “where Article 3(2) applies.” Confirm and document whether your EU-related processing falls under Article 3(2) before you appoint. If it does, you must designate an EU representative in writing. (Regulation (EU) 2016/679, Article 27)

Can our DPO be the EU representative?

Article 27 requires a representative “in the Union” designated in writing. If your DPO function is provided by an EU-based entity and you formally designate that entity in writing, it may be workable, but you still need the written designation and operational routing to function. (Regulation (EU) 2016/679, Article 27)

What counts as “designate in writing”?

Keep an executed agreement or letter of designation that identifies the EU representative and the appointing controller/processor entity. Store it in your compliance evidence repository and link it to your scope decision. (Regulation (EU) 2016/679, Article 27)

We have multiple non-EU affiliates. Do we need one representative or several?

Article 27 applies to the controller or processor where Article 3(2) applies. Start by mapping which legal entities act as controller/processor for EU-related processing, then decide whether a single representative can be designated to cover multiple entities within a clearly defined scope, documented in writing. (Regulation (EU) 2016/679, Article 27)

What evidence do customers and auditors usually ask for?

They ask for your written designation and proof that you determined applicability (role-and-scope and decision record). They also ask how communications flow operationally, so keep a runbook and at least one tested example in your evidence packet. (Regulation (EU) 2016/679, Article 27)

What is the fastest way to fail this requirement after appointment?

Publishing or sharing representative details but not routing inbound messages to an accountable internal owner. Prevent this with a dedicated intake channel, ticket logging, and periodic tests that you can produce as evidence. (Regulation (EU) 2016/679, Article 27)