GDPR Article 27 EU Representative — The 4-Week Pre-Launch Check for US Companies

Article 27(1) GDPR obliges every controller or processor that is "not established in the Union" but processes personal data of individuals in the EU to designate in writing a representative in the Union. The representative must be established in one of the Member States where "the data subjects... are" — in practice, in the Member State with the company's largest EU user base.

What the representative is NOT: not a Data Protection Officer (Art. 37), not an EU lawyer, not a subsidiary. What it IS: a legal entity established in the EU, mandated in writing by the company, acting as a point of contact for supervisory authorities and data subjects, receiving inquiries and forwarding them to the US company. Liability remains with the US controller — the representative is not a "shield."

Practical note: many US companies underestimate that Article 27 is a yes/no test, not a threshold test. Once the processing is "not occasional" AND involves special categories of data (Art. 9) or criminal convictions, OR involves a risk to data subjects, the obligation is triggered. In practice, almost every SaaS platform with EU users falls under this definition.

Required: every company without EU establishment that offers goods or services to EU users (Art. 3(2)(a)) or monitors the behavior of EU users (Art. 3(2)(b) — so virtually every analytics platform, every tracking SDK, every programmatic-ad platform).

Exemption under Art. 27(2): processing is "occasional" AND not large-scale AND no special categories AND no likely risk. This threshold is narrow — the EDPB clarified in 2018 (Guidelines 3/2018) that "occasional" means rare, non-recurring processing. A US app with 50 German users generating daily data is not "occasional."

Often overlooked: B2B companies are not exempt. If a US CRM processes personal data of EU employees at their customers, that is processing — the data subject in the EU Member State is a natural person, even if the contract is B2B. We see this mistake regularly at US SaaS that collects "business email" addresses.

Second trap: the DSA Article 13 representative is a PARALLEL obligation, not a substitute. If the US company qualifies as an "intermediary service" under DSA (hosting, online marketplace, very large online search engine etc.), it needs a DSA Article 13 representative IN ADDITION to the Article 27 representative. Both roles can be performed by the same entity, but that must be clarified in writing.

Step 1 (Week 1) — choose Member State. Per Art. 27(3) the representative must be established in a Member State where data subjects are. With diffuse EU user bases, in practice the Member State with the highest user share is selected — usually Germany, the Netherlands, Ireland, or France. Note: the chosen seat indirectly determines the lead supervisory authority under the "one-stop-shop" mechanism, potentially BfDI vs. IE DPC vs. CNIL. This is a strategic choice.

Step 2 (Week 2) — mandate the representative. Written mandate letter, covering at minimum: (a) the controllers / processors the representative represents; (b) the processing activities; (c) the obligation to maintain the Article 30 record; (d) the availability guarantee (inquiries forwarded within [X] business days); (e) the liability allocation. Specialized representative service providers have template mandates, customizable.

Step 3 (Week 3) — update the privacy notice. Per Art. 13(1)(a) the privacy notice must disclose the representative (name, address, contact details). Also name the supervisory authority. A common mistake: the representative is named only "internally" but not in the public-facing privacy notice — that is insufficient and a typical entry point for supervisory authorities.

Step 4 (Week 4) — set up the data subject request workflow. The representative must accept requests AND have them answered in time — the GDPR deadlines (Art. 12(3): one month, extendable) start running upon receipt by the representative, not upon forwarding to the US company. Operationally: SLAs between representative and US company, ideally with a shared ticket inbox.

Mistake 1 — No representative appointed, because the US company points to a US processing arrangement. If the controller or processor itself is the offerer, Art. 27 applies. An EU subsidiary is not an exemption unless the subsidiary is the SAME legal entity as the controller.

Mistake 2 — Representative appointed in a Member State where no users are located, because it is cheaper there. Supervisory authorities accept this, but if DSA Article 13 also applies and different requirements arise, it gets operationally messy. We recommend the Member State with the largest EU user group.

Mistake 3 — Representative only named in internal email, not in public privacy notice. The Hessian supervisory authority fined a US AdTech provider €240k in 2023 for this reason — the representative was appointed but not findable for data subjects.

Mistake 4 — Mandate letter only names the parent company, not the subsidiaries that also process EU data. In a group structure, each controlling entity must be listed separately. CNIL has expressly criticized the omission of "subsidiaries" in at least three decisions in 2024.

Mistake 5 — Response times not met. If the representative receives an inquiry on day X and forwards it to the US company only on day X+10, the one-month deadline still runs from day X. The most common consequence: data subject complaint, automatic escalation to the supervisory authority, formal investigation. Operational SLAs are not a nice-to-have.

For US companies, the Article 27 appointment typically runs in parallel to a series of additional compliance steps: SCC Module 2 contracts with EU sub-processors, TIA (Transfer Impact Assessment) per Schrems II, Art. 30 record of processing activities, possibly a DPIA per Art. 35. Whoever appoints the Article 27 representative in isolation, without addressing the other building blocks, creates a compliance facade that collapses on the first supervisory inquiry.

Where DSA applies (hosting, marketplace, search): Article 13 DSA requires a representative in one of the Member States where the service is offered. Duties partly parallel to Art. 27, partly stricter — the DSA representative is additionally liable for DSA violations. We recommend the same entity but TWO separate mandate letters, because audit tracking and liability boundaries otherwise collide.

From the US perspective: the Article 27 / Article 13 appointment is typically initiated by US General Counsel or Privacy Lead. We coordinate as EU counsel with the US team, draft the mandate letters, review the privacy notice updates, and brief US privacy lead before the first supervisory inquiry. Time-to-production in our experience: 4-6 weeks where EU localization already exists, 8-10 weeks without.