A GDPR Representative (Article 27) is a designated individual or organisation physically established in the EU that serves as the local point of contact for data protection authorities and data subjects on behalf of a non-EU company that processes EU personal data. Appointment is mandatory under the General Data Protection Regulation for most non-EU controllers and processors.
If your company is based outside the European Union but offers goods or services to people in the EU — or monitors their behaviour — you almost certainly need a GDPR representative. Article 27 of the General Data Protection Regulation requires non-EU controllers and processors to designate a representative physically established in an EU member state. Ignore this obligation and you face fines of up to €10 million or 2% of global annual turnover, whichever is higher.
Despite this, compliance surveys consistently estimate that a significant majority of non-EU companies that should have an Article 27 representative have not actually appointed one. Many don't know the requirement exists. Others confuse it with having a Data Protection Officer. Some assume that using EU-based cloud hosting is enough.
This guide explains exactly who needs a GDPR representative, what the representative does, how much it costs, and how to choose the right provider — with a particular focus on why EU member states like Croatia are becoming popular choices for representative services due to cost advantages and strong regulatory infrastructure.
| Quick Reference | Details |
|---|---|
| Legal basis | Article 27 GDPR — Representatives of controllers or processors not established in the Union |
| Who needs one | Non-EU controllers/processors that offer goods/services to EU individuals or monitor their behaviour |
| Exemptions | Public authorities; processing that is occasional, low-risk, and doesn't involve special categories or criminal data at large scale |
| Representative must be | Established in one of the EU/EEA member states where the data subjects are located |
| Key responsibility | Serve as a point of contact for supervisory authorities and data subjects |
| Penalty for non-compliance | Up to €10 million or 2% of global annual turnover (Article 83(4)) |
| Typical cost | €1,200–€12,000/year depending on provider, location, and scope |
| Croatia advantage | 30–50% lower costs than Western EU providers with full EU regulatory standing |
Key Takeaways
- Article 27 GDPR requires non-EU companies that process EU personal data to appoint a representative physically established in the EU — this is a legal obligation, not optional
- A GDPR representative is not the same as a DPO — the representative is a local contact point for authorities and data subjects, while the DPO oversees internal compliance
- Exemptions are narrow: only public authorities or genuinely occasional, low-risk processing qualifies — most commercial operations do not
- Failure to appoint a representative is itself a fineable offence (up to €10M / 2% of turnover), and it can trigger additional scrutiny from regulators
- The representative must be established in a member state where your data subjects are — but a single representative can cover all EU/EEA countries
- Croatia offers a compelling base for GDPR representation: full EU member since 2013, eurozone since 2023, with AZOP (the Croatian DPA) as a well-resourced supervisory authority and significantly lower service costs than Ireland, Germany, or the Netherlands
- Costs range from €1,200 to €12,000 per year depending on processing complexity, data volume, and service level
- When choosing a provider, prioritise regulatory expertise, responsiveness to DPA inquiries, and multilingual capability over brand recognition alone
Table of Contents
- What Is a GDPR Representative?
- Article 27 GDPR: The Legal Requirements
- Who Needs a GDPR Representative?
- Who Is Exempt?
- GDPR Representative vs. Data Protection Officer: Key Differences
- What Does a GDPR Representative Actually Do?
- Where Should Your Representative Be Located?
- Why Croatia Is Emerging as a GDPR Representative Hub
- GDPR Representative Costs: What to Expect
- How to Choose a GDPR Representative Provider
- The Appointment Process: Step by Step
- Consequences of Not Appointing a Representative
- GDPR Representative for Specific Sectors
- Future Outlook: Article 27 Enforcement Trends
- Frequently Asked Questions
- Related Resources
What Is a GDPR Representative?
A GDPR representative is an individual or organisation physically established in the European Union that acts as the local point of contact for a non-EU data controller or processor. Think of them as your company's regulatory front door in the EU — the person or entity that supervisory authorities (like AZOP in Croatia, CNIL in France, or the Irish DPC) and EU data subjects can reach when they have questions, complaints, or enforcement actions related to your processing of their personal data.
The representative is mandated by Article 27 of the GDPR. This isn't a best-practice recommendation — it's a legal requirement with real penalties attached.
Important clarifications:
- The representative acts on your behalf regarding your GDPR obligations, but they do not replace your own accountability as a controller or processor
- The representative is not your DPO (though the same organisation can potentially serve both roles)
- The representative is not your EU legal counsel, though they should understand data protection law
- The representative must be able to receive communications from DPAs and data subjects and relay them to you promptly
The role was specifically designed to address a practical problem: EU regulators and citizens need someone they can physically reach within EU jurisdiction when dealing with organisations headquartered in the US, UK, Switzerland, Israel, Singapore, or any other non-EU country.
Article 27 GDPR: The Legal Requirements
Here is the exact text of Article 27(1):
"Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union."
Article 3(2) is the GDPR's extraterritorial scope provision. It applies when a non-EU controller or processor either:
(a) Offers goods or services to data subjects in the EU (regardless of whether payment is required), or
(b) Monitors the behaviour of data subjects, insofar as their behaviour takes place within the EU.
The six core requirements of Article 27:
| Requirement | Details |
|---|---|
| Written mandate | The representative must be designated in writing with a clear mandate defining the scope of representation |
| Location | Must be established in one of the member states where the data subjects whose data you process are located |
| Accessibility | Must be reachable by supervisory authorities and data subjects for all issues related to processing |
| Record-keeping | Controller/processor must maintain records of processing activities per Article 30, and the representative's contact details must be included |
| Privacy notice | The representative's contact details must appear in your privacy notice/policy |
| Cooperation with DPAs | The representative must cooperate with supervisory authorities on behalf of the controller/processor |
How Article 3(2) triggers Article 27
Offering goods or services (Article 3(2)(a)):
- Your website is available in EU languages (German, French, Croatian, etc.)
- You accept payments in euros or other EU currencies
- You ship products to EU addresses
- You reference EU customers, markets, or pricing
- You use EU-specific domain extensions (.eu, .de, .hr)
Monitoring behaviour (Article 3(2)(b)):
- You track EU users with cookies, analytics, or pixels
- You use behavioural advertising targeting EU residents
- You profile EU individuals based on their online activity
- You use location tracking for individuals in the EU
- You conduct market research on EU consumer behaviour
If either trigger applies, you need a GDPR representative — unless you qualify for one of the narrow exemptions.
Who Needs a GDPR Representative?
In practice, the following types of non-EU companies almost always need an Article 27 representative:
Companies that definitely need one
| Company Type | Why Article 27 Applies |
|---|---|
| US/UK SaaS companies with EU customers | Offering services to EU data subjects — Article 3(2)(a) |
| E-commerce retailers shipping to EU | Goods offered to EU addresses with EU payment methods |
| Ad-tech and analytics companies | Monitoring EU user behaviour — Article 3(2)(b) |
| Mobile app developers | Processing data from EU app users, often with behavioural tracking |
| Non-EU employers with EU remote workers | Processing employee personal data of EU-based individuals |
| Israeli/Swiss tech companies | Non-EU/EEA, processing EU customer data |
| UK companies post-Brexit | UK is no longer EU — must appoint EU representative if processing EU data |
| US healthcare companies with EU patients | Cross-border health data processing |
| Financial service providers serving EU clients | Processing financial and personal data of EU individuals |
| AI/ML companies training on EU data | Monitoring behaviour and profiling EU individuals |
The UK post-Brexit reality
Since January 1, 2021, UK-based companies are treated as non-EU entities under GDPR. If you're a UK company processing personal data of individuals in the EU, you need to appoint a GDPR representative in the EU — and separately, EU companies may need a UK representative under the UK GDPR.
This caught many UK businesses off guard. Thousands of companies that were previously compliant as EU-based operations suddenly required an Article 27 representative.
Who Is Exempt?
Article 27(2) provides limited exemptions:
Exemption 1: Public authorities or bodies
Government entities are exempt. This doesn't apply to state-owned enterprises operating commercially.
Exemption 2: Occasional processing meeting ALL three criteria
The processing must be:
- Occasional (not systematic, regular, or ongoing)
- Does not include large-scale processing of special category data (Article 9) or criminal conviction data (Article 10)
- Is unlikely to result in a risk to the rights and freedoms of individuals, taking into account the nature, context, scope, and purposes
All three criteria must be met simultaneously. In practice, this exemption is very narrow:
| Scenario | Exempt? | Why |
|---|---|---|
| US company that processed one EU employee's payroll for a 3-month secondment | Possibly | Genuinely occasional, low-risk, no special categories |
| US SaaS with 50 EU trial users | No | Ongoing service offering, systematic processing |
| Canadian retailer that occasionally ships to EU customers | No | Regular commercial offering to EU market |
| UK marketing agency with EU client data | No | Systematic processing, ongoing business relationship |
| Swiss research institute processing one EU dataset | Possibly | If genuinely one-off and no special categories |
The EDPB's position: When in doubt, appoint a representative. The cost is low relative to the risk, and regulators take a dim view of companies that try to stretch the exemption.
GDPR Representative vs. Data Protection Officer: Key Differences
This is one of the most common points of confusion. The roles serve fundamentally different purposes:
| Dimension | GDPR Representative (Article 27) | Data Protection Officer (Articles 37-39) |
|---|---|---|
| Who needs one | Non-EU controllers/processors processing EU data | Any organisation meeting DPO criteria (public bodies, large-scale monitoring, special categories) |
| Purpose | Local contact point in the EU for authorities and data subjects | Internal compliance oversight and advisory |
| Location | Must be physically established in the EU | Can be anywhere (but EU-based preferred) |
| Independence | Acts on behalf of the controller | Must be independent — cannot receive instructions on how to perform tasks |
| Legal basis | Article 27 | Articles 37–39 |
| Can be external | Yes (typically is) | Yes |
| Can be the same entity | Theoretically yes, but EDPB advises caution due to potential conflicts | N/A |
| Liability | Representative can be directly addressed by DPAs | DPO has no personal liability for non-compliance |
| Cost | €1,200–€12,000/year | €15,000–€100,000+/year |
| Privacy notice | Contact details must be listed | Contact details must be listed |
Can the same organisation serve as both?
The EDPB has noted potential conflicts — the DPO must be independent, while the representative acts on the controller's instructions. However, in practice, many compliance providers offer both services together with appropriate internal separation. This is particularly common with providers based in EU member states like Croatia, where a single firm can serve as your Article 27 representative, external DPO, and general compliance advisor.
What Does a GDPR Representative Actually Do?
A GDPR representative's responsibilities fall into four core areas:
1. Point of contact for supervisory authorities
When a DPA wants to investigate your company, they contact your representative. This includes:
- Receiving formal inquiries and complaints from any EU/EEA supervisory authority
- Forwarding DPA correspondence to you promptly
- Facilitating cooperation between you and the DPA during investigations
- Attending meetings or hearings with the DPA on your behalf (when authorised)
2. Point of contact for data subjects
EU individuals can exercise their GDPR rights through your representative:
- Receiving data subject access requests (DSARs)
- Accepting right-to-erasure ("right to be forgotten") requests
- Handling data portability requests
- Forwarding complaints from data subjects to you
- Providing information about your processing activities when asked
3. Record-keeping obligations
Under Article 30(1), your representative must maintain (or help you maintain) a record of processing activities:
- Name and contact details of the controller and the representative
- Purposes of processing
- Categories of data subjects and personal data
- Categories of recipients
- International transfers and safeguards
- Retention periods
- Security measures description
4. Ongoing compliance support
Good representative services go beyond the legal minimum:
- Monitoring regulatory developments in their member state
- Alerting you to enforcement trends and DPA guidance
- Advising on privacy notice requirements
- Supporting you during data breach notification (Article 33/34)
- Liaising with local legal counsel when needed
Where Should Your Representative Be Located?
Article 27(3) states the representative must be established in one of the member states where your data subjects are located. If you process personal data of individuals across multiple EU countries, you have flexibility in choosing which member state.
Strategic factors in choosing a location
| Factor | Consideration |
|---|---|
| Where most of your data subjects are | Regulators may prefer the representative to be in the member state with the largest affected population |
| DPA enforcement climate | Some DPAs are more active than others — this cuts both ways (active DPAs provide clearer guidance but also more scrutiny) |
| Language and accessibility | Your representative should communicate effectively with the local DPA and data subjects |
| Cost of services | Representative fees vary significantly by country |
| Legal environment | Established data protection culture and clear legal frameworks |
| Timezone alignment | Practical consideration for day-to-day communication |
Country comparison for GDPR representative services
| Country | Typical Annual Cost | DPA Activity | Pros | Cons |
|---|---|---|---|---|
| Ireland | €5,000–€15,000 | Very high (DPC) | Major tech hub, English-speaking | Most expensive, DPC overwhelmed with cases |
| Germany | €4,000–€12,000 | Very high (17 DPAs) | Strong regulatory framework | Complex multi-DPA structure, German language required |
| Netherlands | €3,500–€10,000 | High (AP) | Good English proficiency | Increasing costs |
| France | €4,000–€12,000 | High (CNIL) | Large market | French language requirements |
| Croatia | €1,200–€5,000 | Moderate (AZOP) | 30-50% cost advantage, EU/eurozone, English proficiency, growing compliance hub | Smaller market (but covers all EU under Art. 27) |
| Poland | €1,500–€6,000 | Moderate (UODO) | Cost-effective | Less English proficiency |
| Estonia | €2,000–€7,000 | Moderate | Digital-first DPA | Small market |
Why Croatia Is Emerging as a GDPR Representative Hub
Croatia has quietly become one of the most attractive locations for GDPR representative services. Here's why:
Full EU standing since 2013
Croatia joined the European Union on 1 July 2013 and adopted the euro on 1 January 2023. It is a full member of the Schengen Area. A GDPR representative based in Croatia has identical legal standing to one based in Ireland, Germany, or France — the GDPR makes no distinction between member states.
AZOP: Croatia's Data Protection Authority
The Agencija za zaštitu osobnih podataka (AZOP) is Croatia's supervisory authority under the GDPR. Key facts:
- Established in 2004, predating Croatia's EU membership
- Active in cross-border enforcement through the EDPB consistency mechanism
- Published guidance on controller-processor relationships, data breach notification, and children's data
- Responsive to inquiries from both controllers and data subjects
- Participates in EDPB-coordinated enforcement actions (e.g., the 2024 coordinated action on the right of access)
Cost advantage
Professional services in Croatia cost 30–50% less than equivalent services in Ireland, Germany, or the Netherlands, while quality remains comparable. This is driven by lower operating costs and a competitive professional services market — not by any difference in regulatory standards or legal expertise.
| Service | Ireland/Germany | Croatia | Savings |
|---|---|---|---|
| GDPR representative (basic) | €4,000–€8,000/yr | €1,200–€3,000/yr | 50–60% |
| GDPR representative + DPO bundle | €15,000–€30,000/yr | €6,000–€15,000/yr | 40–60% |
| Compliance consulting (hourly) | €200–€400/hr | €80–€180/hr | 50–60% |
| Data protection audit | €5,000–€15,000 | €2,500–€7,000 | 40–55% |
Strong professional talent
Croatia produces highly educated professionals in law, IT, and regulatory affairs. The country's universities offer specialised programmes in data protection and EU regulatory law. Many Croatian compliance professionals have experience working across multiple EU jurisdictions and are fluent in English, German, and Italian in addition to Croatian.
Timezone and accessibility
Croatia operates on Central European Time (CET/CEST), providing excellent overlap with:
- US East Coast: 6-hour difference (comfortable afternoon overlap)
- UK: 1-hour difference
- Rest of the EU: Same timezone or ±1 hour
- Middle East: 1-2 hour difference
Zagreb is connected by direct flights to all major EU capitals, making in-person meetings straightforward when needed.
Eurozone membership
Since January 2023, Croatia uses the euro. This eliminates currency conversion complications in billing and contracts — a practical advantage for companies already operating in EUR.
GDPR Representative Costs: What to Expect
Pricing models
| Model | Typical Range | Best For |
|---|---|---|
| Fixed annual fee | €1,200–€12,000/yr | Companies wanting predictable costs |
| Monthly retainer | €100–€1,000/mo | Companies wanting flexibility |
| Tiered packages | €150–€500/mo (basic), €500–€2,000/mo (premium) | Companies wanting to start small and scale |
| Per-inquiry pricing | €50–€200 per DPA/data subject inquiry | Very low-volume processing |
What drives the cost?
| Factor | Impact on Price |
|---|---|
| Volume of processing | More data subjects = higher risk = higher fee |
| Sensitivity of data | Special categories (health, biometric, financial) increases cost |
| Number of DPA inquiries | More regulatory interactions = more work |
| Jurisdictions covered | Representative in one state covers all, but multi-DPA coordination increases complexity |
| Additional services | DPO, breach notification support, compliance consulting bundled in |
| Provider location | Western EU providers charge 2-3x what Croatian or Eastern EU providers charge |
Sample pricing scenarios
| Scenario | Western EU Provider | Croatia-Based Provider |
|---|---|---|
| US SaaS startup, 500 EU users, standard data | €5,000–€8,000/yr | €1,500–€3,000/yr |
| UK e-commerce, 10,000 EU customers, payment data | €8,000–€12,000/yr | €3,000–€5,000/yr |
| US healthtech, EU patient data (special category) | €10,000–€15,000/yr | €5,000–€8,000/yr |
| Israeli fintech, EU financial data, high volume | €12,000–€20,000/yr | €5,000–€10,000/yr |
| Full bundle: representative + external DPO + compliance advisory | €25,000–€50,000/yr | €10,000–€20,000/yr |
How to Choose a GDPR Representative Provider
Essential evaluation criteria
1. Regulatory expertise
- Does the provider have demonstrable experience handling DPA inquiries?
- Can they articulate the difference between Articles 27 and 37?
- Do they understand your industry's specific data protection challenges?
2. Responsiveness
- What are their SLAs for forwarding DPA correspondence?
- How quickly can they acknowledge a data subject request?
- Do they offer 24/7 emergency contact for breach situations?
3. Location and DPA relationship
- Are they genuinely established in the member state (not just a mailbox)?
- Do they have a working relationship with the local DPA?
- Can they communicate in the DPA's official language?
4. Scalability
- Can they handle a sudden surge in data subject requests?
- Do they serve other clients in your industry?
- Can they expand services as your EU presence grows (DPO, compliance, audits)?
5. Transparency
- Are fees clearly disclosed with no hidden costs?
- Do they provide regular reports on activity?
- Can you see a sample mandate agreement before signing?
Red flags to watch for
| Red Flag | Why It Matters |
|---|---|
| "Virtual office" or mailbox-only presence | Must be genuinely established — PO boxes don't satisfy Article 27 |
| No data protection expertise | Some providers are corporate service firms with no GDPR knowledge |
| Unwilling to share DPA interaction history | Good providers are transparent about their regulatory track record |
| Extremely low fees (under €500/year) | Suggests minimal service that may not meet obligations |
| No clear escalation process | You need defined procedures for urgent DPA inquiries and breach scenarios |
| One-size-fits-all contracts | Your mandate should be specific to your processing activities |
The Appointment Process: Step by Step
Step 1: Determine if you need a representative (2-5 days)
Assess whether Article 3(2) applies to your processing:
- Do you offer goods/services to EU individuals?
- Do you monitor the behaviour of EU individuals?
- Are you exempt under Article 27(2)?
Step 2: Choose your representative location (1-2 weeks)
Consider where your data subjects are, cost factors, and strategic alignment. Croatia offers an excellent balance of cost, quality, and regulatory standing.
Step 3: Select a provider (2-4 weeks)
Evaluate providers against the criteria above. Request proposals, compare pricing, check references.
Step 4: Execute the written mandate (1 week)
Article 27 requires a written designation. The mandate should include:
- Identification of the controller/processor and the representative
- Scope of the representative's authority
- Specific obligations and responsibilities
- Communication protocols and SLAs
- Data protection provisions for any data the representative handles
- Term and termination provisions
- Liability and indemnification
Step 5: Update your privacy notice (1-2 days)
Article 13(1)(a) and Article 14(1)(a) require you to include the representative's contact details in your privacy notice.
Step 6: Update your record of processing activities (1-2 days)
Article 30 requires the representative's contact details in your ROPA.
Step 7: Notify relevant DPAs if required (varies)
Some DPAs require notification of the representative appointment. Your representative should guide you on this.
Total timeline: 4-8 weeks from decision to fully operational.
Consequences of Not Appointing a Representative
Direct penalties
Failure to designate a representative under Article 27 is a violation of GDPR that can result in administrative fines under Article 83(4):
- Up to €10 million, or
- Up to 2% of total worldwide annual turnover of the preceding financial year
Whichever is higher.
Indirect consequences
| Consequence | Impact |
|---|---|
| DPA enforcement escalation | Without a local contact point, DPAs may pursue more aggressive enforcement measures |
| Inability to cooperate with investigations | No representative means difficulty engaging with formal regulatory proceedings |
| Data subject complaints | EU individuals may escalate complaints directly to DPAs, triggering investigations |
| Contractual issues | EU business partners may refuse to work with you if you lack a representative (compliance due diligence) |
| Reputational damage | Non-compliance signals carelessness about data protection to EU partners and customers |
| Market access risk | Some EU procurement processes and RFPs require proof of GDPR compliance, including Article 27 |
Real enforcement examples
While standalone Article 27 fines have been relatively rare, supervisory authorities increasingly flag the absence of a representative as an aggravating factor in broader enforcement actions. The Finnish DPA, Belgian DPA, and Spanish AEPD have all referenced Article 27 obligations in enforcement decisions against non-EU entities.
The trend is clear: as enforcement matures, standalone Article 27 enforcement will increase. Several DPAs have signalled that non-EU companies operating in the EU without a representative will face coordinated enforcement in the coming years.
GDPR Representative for Specific Sectors
SaaS and technology companies
Most US, UK, and Israeli SaaS companies processing EU customer data need a representative. Key considerations:
- High data volumes may increase costs but remain manageable
- Behavioural analytics and tracking triggers Article 3(2)(b) even without EU-language websites
- Sub-processors and international transfers add complexity your representative should understand
- Rapid scaling — choose a provider that can grow with you
E-commerce and retail
Any non-EU retailer selling to EU customers needs a representative. Beyond the basics:
- Payment data (potential special considerations under PSD2)
- Marketing and profiling (consent management complexity)
- Returns processing (physical presence considerations)
- Cookie consent (your representative should understand ePrivacy requirements)
Healthcare and biotech
Non-EU companies processing EU health data face heightened requirements:
- Special category data (Article 9) increases risk and representative costs
- Clinical trial data (Clinical Trials Regulation interplay)
- Cross-border health data sharing under European Health Data Space (EHDS)
- Croatia's growing biotech sector means local representatives understand health data flows
Financial services
Fintech and financial services companies face sector-specific data protection challenges:
- DORA (Digital Operational Resilience Act) requirements for ICT third-party risk
- PSD2/PSD3 data sharing obligations
- AML/KYC data processing considerations
- MiFID II client data requirements
- Representative should understand the intersection of financial regulation and GDPR
AI and machine learning
Companies developing or deploying AI systems using EU data face emerging requirements:
- EU AI Act compliance intersects with GDPR representative obligations
- Automated decision-making (Article 22) creates additional data subject rights
- Training data sourced from EU individuals triggers Article 3(2)
- Profiling activities trigger Article 3(2)(b) monitoring provisions
Future Outlook: Article 27 Enforcement Trends
Enforcement is intensifying
EU supervisory authorities are increasingly focusing on non-EU entities processing EU data. Key developments:
- Coordinated enforcement actions: DPAs are increasingly working together across borders to address non-EU companies that lack representatives
- AI Act intersection: The EU AI Act includes similar representative requirements (Article 22), creating additional obligations for non-EU AI providers
- Digital Services Act: The DSA's similar representative requirements are establishing regulatory precedent
- ePrivacy Regulation: When finalised, will create additional representative-like obligations
The growing role of EU representative hubs
As enforcement intensifies, EU member states with strong compliance ecosystems and competitive costs — like Croatia, Estonia, and Poland — are emerging as preferred locations for representative services. Croatia's combination of eurozone membership, CET timezone, strong English proficiency, and 30-50% cost advantage over Western EU markets positions it particularly well.
Recommendations for 2026 and beyond
- Appoint a representative now if you haven't already — enforcement is not a matter of "if" but "when"
- Choose a provider that offers scalable services — as your EU obligations grow, your representative should grow with you
- Consider bundled services (representative + DPO + compliance advisory) for cost efficiency
- Look beyond Ireland and Germany — countries like Croatia offer equal regulatory standing at significantly lower cost
- Review your appointment annually to ensure it remains appropriate as your processing activities evolve
Frequently Asked Questions
Do I need a GDPR representative if I only have a few EU customers?
Almost certainly yes. The exemption in Article 27(2)(a) applies only to occasional processing that is also low-risk and doesn't involve special categories or criminal data at large scale. If you're systematically offering services to EU customers — even a small number — it's not occasional. The EDPB guidance is clear: when in doubt, appoint a representative.
Can I appoint an individual or does it need to be a company?
Either. Article 27 allows you to designate "a natural or legal person." In practice, most companies appoint a legal entity (compliance firm) rather than an individual for continuity, liability, and scalability reasons.
Does my representative need to be in every EU country where I have data subjects?
No. Article 27(3) requires the representative to be in one of the member states where your data subjects are. A representative in Croatia, for example, can serve as your representative for data subjects across all 27 EU member states.
Can my EU-based customer or partner serve as my representative?
Technically possible but strongly discouraged. Your representative should be independent and have data protection expertise. Using a customer or partner creates conflicts of interest and risks inadequate compliance.
Is a GDPR representative personally liable for my non-compliance?
The representative is not liable for your processing violations. However, they can be directly addressed by DPAs (they're the local contact point), and they must cooperate with supervisory authorities. The controller or processor remains ultimately responsible for GDPR compliance.
How quickly do I need to appoint a representative?
There's no grace period. If Article 3(2) applies to your processing, you should already have a representative. The practical recommendation: complete the appointment within 4-8 weeks of determining that Article 27 applies.
Does appointing a GDPR representative mean I'm subject to EU jurisdiction?
Yes, in the sense that you're already subject to GDPR's extraterritorial scope under Article 3(2). The representative doesn't create new jurisdiction — it acknowledges existing jurisdiction and provides the required local presence. Note that the representative can be served with legal process on your behalf, which is one reason DPAs take Article 27 seriously.
What's the difference between a GDPR representative and a local legal counsel?
A GDPR representative is specifically mandated by Article 27 and serves as a formal point of contact for DPAs and data subjects. Legal counsel provides legal advice and representation. They're different roles, though some providers offer both. Your representative should know when to escalate matters to legal counsel.
Can I switch my representative to a different EU country?
Yes. There's no restriction on changing your representative's location, provided the new location is in a member state where your data subjects are located. You'll need to execute a new mandate, update your privacy notice, update your ROPA, and potentially notify relevant DPAs.
Why do companies choose Croatia for GDPR representative services?
Croatia offers several advantages: full EU and eurozone membership, a competent DPA (AZOP), significantly lower costs than Western EU providers (30-50% savings), strong English proficiency among professionals, CET timezone alignment with both EU and US, and a growing ecosystem of experienced compliance service providers. There's no regulatory disadvantage — a Croatian representative has identical legal standing to one in any other EU member state.
Related Resources
- GDPR Compliance Guide: Everything You Need to Know
- Data Protection Officer Guide: Roles, Responsibilities & Requirements
- Standard Contractual Clauses (SCCs): Complete Guide to EU Data Transfers
- Data Mapping for GDPR: Article 30 ROPA Compliance Guide
- Privacy Impact Assessment Guide: GDPR DPIA Requirements
Related Articles
- GDPR for US Companies Guide — How GDPR applies to American businesses
- GDPR Compliance: The Complete Guide for Organisations in 2026 — Full guide to GDPR obligations and compliance
- EU Compliance for SaaS & Tech Companies — Complete playbook for non-EU SaaS companies
Need a GDPR representative in the EU? Vision Compliance provides Article 27 representative services from Croatia, offering full regulatory coverage across all EU member states at competitive rates. Schedule a consultation to discuss your requirements.
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.