GDPR Representative (Article 27): Complete Guide for Non-EU Companies (2026)
February 21, 2026
Updated: February 22, 2026
26 min read
Data Protection
If your company is based outside the European Union but offers goods or services to people in the EU — or monitors their behaviour — you almost certainly need a GDPR representative. Article 27 of the General Data Protection Regulation requires non-EU controllers and processors to designate a representative physically established in an EU member state. Ignore this obligation and you face fines of up to €10 million or 2% of global annual turnover, whichever is higher.
Despite this, compliance surveys consistently estimate that a significant majority of non-EU companies that should have an Article 27 representative have not actually appointed one. Many don't know the requirement exists. Others confuse it with having a Data Protection Officer. Some assume that using EU-based cloud hosting is enough.
This guide explains exactly who needs a GDPR representative, what the representative does, how much it costs, and how to choose the right provider — with a particular focus on why EU member states like Croatia are becoming popular choices for representative services due to cost advantages and strong regulatory infrastructure.
Quick Reference
Details
Legal basis
Article 27 GDPR — Representatives of controllers or processors not established in the Union
Who needs one
Non-EU controllers/processors that offer goods/services to EU individuals or monitor their behaviour
Exemptions
Public authorities; processing that is occasional, low-risk, and doesn't involve special categories or criminal data at large scale
Representative must be
Established in one of the EU/EEA member states where the data subjects are located
Key responsibility
Serve as a point of contact for supervisory authorities and data subjects
Penalty for non-compliance
Up to €10 million or 2% of global annual turnover (Article 83(4))
Typical cost
€1,200–€12,000/year depending on provider, location, and scope
Croatia advantage
30–50% lower costs than Western EU providers with full EU regulatory standing
Key Takeaways
Article 27 GDPR requires non-EU companies that process EU personal data to appoint a representative physically established in the EU — this is a legal obligation, not optional
A GDPR representative is not the same as a DPO — the representative is a local contact point for authorities and data subjects, while the DPO oversees internal compliance
Share article
Need help with compliance?
Contact us for a free consultation
Exemptions are narrow: only public authorities or genuinely occasional, low-risk processing qualifies — most commercial operations do not
Failure to appoint a representative is itself a fineable offence (up to €10M / 2% of turnover), and it can trigger additional scrutiny from regulators
The representative must be established in a member state where your data subjects are — but a single representative can cover all EU/EEA countries
Croatia offers a compelling base for GDPR representation: full EU member since 2013, eurozone since 2023, with AZOP (the Croatian DPA) as a well-resourced supervisory authority and significantly lower service costs than Ireland, Germany, or the Netherlands
Costs range from €1,200 to €12,000 per year depending on processing complexity, data volume, and service level
When choosing a provider, prioritise regulatory expertise, responsiveness to DPA inquiries, and multilingual capability over brand recognition alone
A GDPR representative is an individual or organisation physically established in the European Union that acts as the local point of contact for a non-EU data controller or processor. Think of them as your company's regulatory front door in the EU — the person or entity that supervisory authorities (like AZOP in Croatia, CNIL in France, or the Irish DPC) and EU data subjects can reach when they have questions, complaints, or enforcement actions related to your processing of their personal data.
The representative is mandated by Article 27 of the GDPR. This isn't a best-practice recommendation — it's a legal requirement with real penalties attached.
Important clarifications:
The representative acts on your behalf regarding your GDPR obligations, but they do not replace your own accountability as a controller or processor
The representative is not your DPO (though the same organisation can potentially serve both roles)
The representative is not your EU legal counsel, though they should understand data protection law
The representative must be able to receive communications from DPAs and data subjects and relay them to you promptly
The role was specifically designed to address a practical problem: EU regulators and citizens need someone they can physically reach within EU jurisdiction when dealing with organisations headquartered in the US, UK, Switzerland, Israel, Singapore, or any other non-EU country.
Article 27 GDPR: The Legal Requirements
Here is the exact text of Article 27(1):
"Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union."
Article 3(2) is the GDPR's extraterritorial scope provision. It applies when a non-EU controller or processor either:
(a) Offers goods or services to data subjects in the EU (regardless of whether payment is required), or
(b) Monitors the behaviour of data subjects, insofar as their behaviour takes place within the EU.
The six core requirements of Article 27:
Requirement
Details
Written mandate
The representative must be designated in writing with a clear mandate defining the scope of representation
Location
Must be established in one of the member states where the data subjects whose data you process are located
Accessibility
Must be reachable by supervisory authorities and data subjects for all issues related to processing
Record-keeping
Controller/processor must maintain records of processing activities per Article 30, and the representative's contact details must be included
Privacy notice
The representative's contact details must appear in your privacy notice/policy
Cooperation with DPAs
The representative must cooperate with supervisory authorities on behalf of the controller/processor
How Article 3(2) triggers Article 27
Offering goods or services (Article 3(2)(a)):
Your website is available in EU languages (German, French, Croatian, etc.)
You accept payments in euros or other EU currencies
You ship products to EU addresses
You reference EU customers, markets, or pricing
You use EU-specific domain extensions (.eu, .de, .hr)
Monitoring behaviour (Article 3(2)(b)):
You track EU users with cookies, analytics, or pixels
You use behavioural advertising targeting EU residents
You profile EU individuals based on their online activity
You use location tracking for individuals in the EU
You conduct market research on EU consumer behaviour
If either trigger applies, you need a GDPR representative — unless you qualify for one of the narrow exemptions.
Who Needs a GDPR Representative?
In practice, the following types of non-EU companies almost always need an Article 27 representative:
Companies that definitely need one
Company Type
Why Article 27 Applies
US/UK SaaS companies with EU customers
Offering services to EU data subjects — Article 3(2)(a)
E-commerce retailers shipping to EU
Goods offered to EU addresses with EU payment methods
Ad-tech and analytics companies
Monitoring EU user behaviour — Article 3(2)(b)
Mobile app developers
Processing data from EU app users, often with behavioural tracking
Non-EU employers with EU remote workers
Processing employee personal data of EU-based individuals
Israeli/Swiss tech companies
Non-EU/EEA, processing EU customer data
UK companies post-Brexit
UK is no longer EU — must appoint EU representative if processing EU data
US healthcare companies with EU patients
Cross-border health data processing
Financial service providers serving EU clients
Processing financial and personal data of EU individuals
AI/ML companies training on EU data
Monitoring behaviour and profiling EU individuals
The UK post-Brexit reality
Since January 1, 2021, UK-based companies are treated as non-EU entities under GDPR. If you're a UK company processing personal data of individuals in the EU, you need to appoint a GDPR representative in the EU — and separately, EU companies may need a UK representative under the UK GDPR.
This caught many UK businesses off guard. Thousands of companies that were previously compliant as EU-based operations suddenly required an Article 27 representative.
Who Is Exempt?
Article 27(2) provides limited exemptions:
Exemption 1: Public authorities or bodies
Government entities are exempt. This doesn't apply to state-owned enterprises operating commercially.
Exemption 2: Occasional processing meeting ALL three criteria
The processing must be:
Occasional (not systematic, regular, or ongoing)
Does not include large-scale processing of special category data (Article 9) or criminal conviction data (Article 10)
Is unlikely to result in a risk to the rights and freedoms of individuals, taking into account the nature, context, scope, and purposes
All three criteria must be met simultaneously. In practice, this exemption is very narrow:
Scenario
Exempt?
Why
US company that processed one EU employee's payroll for a 3-month secondment
Possibly
Genuinely occasional, low-risk, no special categories
US SaaS with 50 EU trial users
No
Ongoing service offering, systematic processing
Canadian retailer that occasionally ships to EU customers
No
Regular commercial offering to EU market
UK marketing agency with EU client data
No
Systematic processing, ongoing business relationship
Swiss research institute processing one EU dataset
Possibly
If genuinely one-off and no special categories
The EDPB's position: When in doubt, appoint a representative. The cost is low relative to the risk, and regulators take a dim view of companies that try to stretch the exemption.
GDPR Representative vs. Data Protection Officer: Key Differences
This is one of the most common points of confusion. The roles serve fundamentally different purposes:
Dimension
GDPR Representative (Article 27)
Data Protection Officer (Articles 37-39)
Who needs one
Non-EU controllers/processors processing EU data
Any organisation meeting DPO criteria (public bodies, large-scale monitoring, special categories)
Purpose
Local contact point in the EU for authorities and data subjects
Internal compliance oversight and advisory
Location
Must be physically established in the EU
Can be anywhere (but EU-based preferred)
Independence
Acts on behalf of the controller
Must be independent — cannot receive instructions on how to perform tasks
Legal basis
Article 27
Articles 37–39
Can be external
Yes (typically is)
Yes
Can be the same entity
Theoretically yes, but EDPB advises caution due to potential conflicts
N/A
Liability
Representative can be directly addressed by DPAs
DPO has no personal liability for non-compliance
Cost
€1,200–€12,000/year
€15,000–€100,000+/year
Privacy notice
Contact details must be listed
Contact details must be listed
Can the same organisation serve as both?
The EDPB has noted potential conflicts — the DPO must be independent, while the representative acts on the controller's instructions. However, in practice, many compliance providers offer both services together with appropriate internal separation. This is particularly common with providers based in EU member states like Croatia, where a single firm can serve as your Article 27 representative, external DPO, and general compliance advisor.
What Does a GDPR Representative Actually Do?
A GDPR representative's responsibilities fall into four core areas:
1. Point of contact for supervisory authorities
When a DPA wants to investigate your company, they contact your representative. This includes:
Receiving formal inquiries and complaints from any EU/EEA supervisory authority
Forwarding DPA correspondence to you promptly
Facilitating cooperation between you and the DPA during investigations
Attending meetings or hearings with the DPA on your behalf (when authorised)
2. Point of contact for data subjects
EU individuals can exercise their GDPR rights through your representative:
Receiving data subject access requests (DSARs)
Accepting right-to-erasure ("right to be forgotten") requests
Handling data portability requests
Forwarding complaints from data subjects to you
Providing information about your processing activities when asked
3. Record-keeping obligations
Under Article 30(1), your representative must maintain (or help you maintain) a record of processing activities:
Name and contact details of the controller and the representative
Purposes of processing
Categories of data subjects and personal data
Categories of recipients
International transfers and safeguards
Retention periods
Security measures description
4. Ongoing compliance support
Good representative services go beyond the legal minimum:
Monitoring regulatory developments in their member state
Alerting you to enforcement trends and DPA guidance
Advising on privacy notice requirements
Supporting you during data breach notification (Article 33/34)
Liaising with local legal counsel when needed
Where Should Your Representative Be Located?
Article 27(3) states the representative must be established in one of the member states where your data subjects are located. If you process personal data of individuals across multiple EU countries, you have flexibility in choosing which member state.
Strategic factors in choosing a location
Factor
Consideration
Where most of your data subjects are
Regulators may prefer the representative to be in the member state with the largest affected population
DPA enforcement climate
Some DPAs are more active than others — this cuts both ways (active DPAs provide clearer guidance but also more scrutiny)
Language and accessibility
Your representative should communicate effectively with the local DPA and data subjects
Cost of services
Representative fees vary significantly by country
Legal environment
Established data protection culture and clear legal frameworks
Timezone alignment
Practical consideration for day-to-day communication
Country comparison for GDPR representative services
Country
Typical Annual Cost
DPA Activity
Pros
Cons
Ireland
€5,000–€15,000
Very high (DPC)
Major tech hub, English-speaking
Most expensive, DPC overwhelmed with cases
Germany
€4,000–€12,000
Very high (17 DPAs)
Strong regulatory framework
Complex multi-DPA structure, German language required
Netherlands
€3,500–€10,000
High (AP)
Good English proficiency
Increasing costs
France
€4,000–€12,000
High (CNIL)
Large market
French language requirements
Croatia
€1,200–€5,000
Moderate (AZOP)
30-50% cost advantage, EU/eurozone, English proficiency, growing compliance hub
Smaller market (but covers all EU under Art. 27)
Poland
€1,500–€6,000
Moderate (UODO)
Cost-effective
Less English proficiency
Estonia
€2,000–€7,000
Moderate
Digital-first DPA
Small market
Why Croatia Is Emerging as a GDPR Representative Hub
Croatia has quietly become one of the most attractive locations for GDPR representative services. Here's why:
Full EU standing since 2013
Croatia joined the European Union on 1 July 2013 and adopted the euro on 1 January 2023. It is a full member of the Schengen Area. A GDPR representative based in Croatia has identical legal standing to one based in Ireland, Germany, or France — the GDPR makes no distinction between member states.
AZOP: Croatia's Data Protection Authority
The Agencija za zaštitu osobnih podataka (AZOP) is Croatia's supervisory authority under the GDPR. Key facts:
Established in 2004, predating Croatia's EU membership
Active in cross-border enforcement through the EDPB consistency mechanism
Published guidance on controller-processor relationships, data breach notification, and children's data
Responsive to inquiries from both controllers and data subjects
Participates in EDPB-coordinated enforcement actions (e.g., the 2024 coordinated action on the right of access)
Cost advantage
Professional services in Croatia cost 30–50% less than equivalent services in Ireland, Germany, or the Netherlands, while quality remains comparable. This is driven by lower operating costs and a competitive professional services market — not by any difference in regulatory standards or legal expertise.
Service
Ireland/Germany
Croatia
Savings
GDPR representative (basic)
€4,000–€8,000/yr
€1,200–€3,000/yr
50–60%
GDPR representative + DPO bundle
€15,000–€30,000/yr
€6,000–€15,000/yr
40–60%
Compliance consulting (hourly)
€200–€400/hr
€80–€180/hr
50–60%
Data protection audit
€5,000–€15,000
€2,500–€7,000
40–55%
Strong professional talent
Croatia produces highly educated professionals in law, IT, and regulatory affairs. The country's universities offer specialised programmes in data protection and EU regulatory law. Many Croatian compliance professionals have experience working across multiple EU jurisdictions and are fluent in English, German, and Italian in addition to Croatian.
Timezone and accessibility
Croatia operates on Central European Time (CET/CEST), providing excellent overlap with:
US East Coast: 6-hour difference (comfortable afternoon overlap)
UK: 1-hour difference
Rest of the EU: Same timezone or ±1 hour
Middle East: 1-2 hour difference
Zagreb is connected by direct flights to all major EU capitals, making in-person meetings straightforward when needed.
Eurozone membership
Since January 2023, Croatia uses the euro. This eliminates currency conversion complications in billing and contracts — a practical advantage for companies already operating in EUR.
GDPR Representative Costs: What to Expect
Pricing models
Model
Typical Range
Best For
Fixed annual fee
€1,200–€12,000/yr
Companies wanting predictable costs
Monthly retainer
€100–€1,000/mo
Companies wanting flexibility
Tiered packages
€150–€500/mo (basic), €500–€2,000/mo (premium)
Companies wanting to start small and scale
Per-inquiry pricing
€50–€200 per DPA/data subject inquiry
Very low-volume processing
What drives the cost?
Factor
Impact on Price
Volume of processing
More data subjects = higher risk = higher fee
Sensitivity of data
Special categories (health, biometric, financial) increases cost
Number of DPA inquiries
More regulatory interactions = more work
Jurisdictions covered
Representative in one state covers all, but multi-DPA coordination increases complexity
Additional services
DPO, breach notification support, compliance consulting bundled in
Provider location
Western EU providers charge 2-3x what Croatian or Eastern EU providers charge
Sample pricing scenarios
Scenario
Western EU Provider
Croatia-Based Provider
US SaaS startup, 500 EU users, standard data
€5,000–€8,000/yr
€1,500–€3,000/yr
UK e-commerce, 10,000 EU customers, payment data
€8,000–€12,000/yr
€3,000–€5,000/yr
US healthtech, EU patient data (special category)
€10,000–€15,000/yr
€5,000–€8,000/yr
Israeli fintech, EU financial data, high volume
€12,000–€20,000/yr
€5,000–€10,000/yr
Full bundle: representative + external DPO + compliance advisory
€25,000–€50,000/yr
€10,000–€20,000/yr
How to Choose a GDPR Representative Provider
Essential evaluation criteria
1. Regulatory expertise
Does the provider have demonstrable experience handling DPA inquiries?
Can they articulate the difference between Articles 27 and 37?
Do they understand your industry's specific data protection challenges?
2. Responsiveness
What are their SLAs for forwarding DPA correspondence?
How quickly can they acknowledge a data subject request?
Do they offer 24/7 emergency contact for breach situations?
3. Location and DPA relationship
Are they genuinely established in the member state (not just a mailbox)?
Do they have a working relationship with the local DPA?
Can they communicate in the DPA's official language?
4. Scalability
Can they handle a sudden surge in data subject requests?
Do they serve other clients in your industry?
Can they expand services as your EU presence grows (DPO, compliance, audits)?
5. Transparency
Are fees clearly disclosed with no hidden costs?
Do they provide regular reports on activity?
Can you see a sample mandate agreement before signing?
Red flags to watch for
Red Flag
Why It Matters
"Virtual office" or mailbox-only presence
Must be genuinely established — PO boxes don't satisfy Article 27
No data protection expertise
Some providers are corporate service firms with no GDPR knowledge
Unwilling to share DPA interaction history
Good providers are transparent about their regulatory track record
Extremely low fees (under €500/year)
Suggests minimal service that may not meet obligations
No clear escalation process
You need defined procedures for urgent DPA inquiries and breach scenarios
One-size-fits-all contracts
Your mandate should be specific to your processing activities
The Appointment Process: Step by Step
Step 1: Determine if you need a representative (2-5 days)
Assess whether Article 3(2) applies to your processing:
Do you offer goods/services to EU individuals?
Do you monitor the behaviour of EU individuals?
Are you exempt under Article 27(2)?
Step 2: Choose your representative location (1-2 weeks)
Consider where your data subjects are, cost factors, and strategic alignment. Croatia offers an excellent balance of cost, quality, and regulatory standing.
Step 3: Select a provider (2-4 weeks)
Evaluate providers against the criteria above. Request proposals, compare pricing, check references.
Step 4: Execute the written mandate (1 week)
Article 27 requires a written designation. The mandate should include:
Identification of the controller/processor and the representative
Scope of the representative's authority
Specific obligations and responsibilities
Communication protocols and SLAs
Data protection provisions for any data the representative handles
Term and termination provisions
Liability and indemnification
Step 5: Update your privacy notice (1-2 days)
Article 13(1)(a) and Article 14(1)(a) require you to include the representative's contact details in your privacy notice.
Step 6: Update your record of processing activities (1-2 days)
Article 30 requires the representative's contact details in your ROPA.
Step 7: Notify relevant DPAs if required (varies)
Some DPAs require notification of the representative appointment. Your representative should guide you on this.
Total timeline: 4-8 weeks from decision to fully operational.
Consequences of Not Appointing a Representative
Direct penalties
Failure to designate a representative under Article 27 is a violation of GDPR that can result in administrative fines under Article 83(4):
Up to €10 million, or
Up to 2% of total worldwide annual turnover of the preceding financial year
Whichever is higher.
Indirect consequences
Consequence
Impact
DPA enforcement escalation
Without a local contact point, DPAs may pursue more aggressive enforcement measures
Inability to cooperate with investigations
No representative means difficulty engaging with formal regulatory proceedings
Data subject complaints
EU individuals may escalate complaints directly to DPAs, triggering investigations
Contractual issues
EU business partners may refuse to work with you if you lack a representative (compliance due diligence)
Reputational damage
Non-compliance signals carelessness about data protection to EU partners and customers
Market access risk
Some EU procurement processes and RFPs require proof of GDPR compliance, including Article 27
Real enforcement examples
While standalone Article 27 fines have been relatively rare, supervisory authorities increasingly flag the absence of a representative as an aggravating factor in broader enforcement actions. The Finnish DPA, Belgian DPA, and Spanish AEPD have all referenced Article 27 obligations in enforcement decisions against non-EU entities.
The trend is clear: as enforcement matures, standalone Article 27 enforcement will increase. Several DPAs have signalled that non-EU companies operating in the EU without a representative will face coordinated enforcement in the coming years.
GDPR Representative for Specific Sectors
SaaS and technology companies
Most US, UK, and Israeli SaaS companies processing EU customer data need a representative. Key considerations:
High data volumes may increase costs but remain manageable
Behavioural analytics and tracking triggers Article 3(2)(b) even without EU-language websites
Sub-processors and international transfers add complexity your representative should understand
Rapid scaling — choose a provider that can grow with you
E-commerce and retail
Any non-EU retailer selling to EU customers needs a representative. Beyond the basics:
Payment data (potential special considerations under PSD2)
Marketing and profiling (consent management complexity)
EU supervisory authorities are increasingly focusing on non-EU entities processing EU data. Key developments:
Coordinated enforcement actions: DPAs are increasingly working together across borders to address non-EU companies that lack representatives
AI Act intersection: The EU AI Act includes similar representative requirements (Article 22), creating additional obligations for non-EU AI providers
Digital Services Act: The DSA's similar representative requirements are establishing regulatory precedent
ePrivacy Regulation: When finalised, will create additional representative-like obligations
The growing role of EU representative hubs
As enforcement intensifies, EU member states with strong compliance ecosystems and competitive costs — like Croatia, Estonia, and Poland — are emerging as preferred locations for representative services. Croatia's combination of eurozone membership, CET timezone, strong English proficiency, and 30-50% cost advantage over Western EU markets positions it particularly well.
Recommendations for 2026 and beyond
Appoint a representative now if you haven't already — enforcement is not a matter of "if" but "when"
Choose a provider that offers scalable services — as your EU obligations grow, your representative should grow with you
Look beyond Ireland and Germany — countries like Croatia offer equal regulatory standing at significantly lower cost
Review your appointment annually to ensure it remains appropriate as your processing activities evolve
Frequently Asked Questions
Do I need a GDPR representative if I only have a few EU customers?
Almost certainly yes. The exemption in Article 27(2)(a) applies only to occasional processing that is also low-risk and doesn't involve special categories or criminal data at large scale. If you're systematically offering services to EU customers — even a small number — it's not occasional. The EDPB guidance is clear: when in doubt, appoint a representative.
Can I appoint an individual or does it need to be a company?
Either. Article 27 allows you to designate "a natural or legal person." In practice, most companies appoint a legal entity (compliance firm) rather than an individual for continuity, liability, and scalability reasons.
Does my representative need to be in every EU country where I have data subjects?
No. Article 27(3) requires the representative to be in one of the member states where your data subjects are. A representative in Croatia, for example, can serve as your representative for data subjects across all 27 EU member states.
Can my EU-based customer or partner serve as my representative?
Technically possible but strongly discouraged. Your representative should be independent and have data protection expertise. Using a customer or partner creates conflicts of interest and risks inadequate compliance.
Is a GDPR representative personally liable for my non-compliance?
The representative is not liable for your processing violations. However, they can be directly addressed by DPAs (they're the local contact point), and they must cooperate with supervisory authorities. The controller or processor remains ultimately responsible for GDPR compliance.
How quickly do I need to appoint a representative?
There's no grace period. If Article 3(2) applies to your processing, you should already have a representative. The practical recommendation: complete the appointment within 4-8 weeks of determining that Article 27 applies.
Does appointing a GDPR representative mean I'm subject to EU jurisdiction?
Yes, in the sense that you're already subject to GDPR's extraterritorial scope under Article 3(2). The representative doesn't create new jurisdiction — it acknowledges existing jurisdiction and provides the required local presence. Note that the representative can be served with legal process on your behalf, which is one reason DPAs take Article 27 seriously.
What's the difference between a GDPR representative and a local legal counsel?
A GDPR representative is specifically mandated by Article 27 and serves as a formal point of contact for DPAs and data subjects. Legal counsel provides legal advice and representation. They're different roles, though some providers offer both. Your representative should know when to escalate matters to legal counsel.
Can I switch my representative to a different EU country?
Yes. There's no restriction on changing your representative's location, provided the new location is in a member state where your data subjects are located. You'll need to execute a new mandate, update your privacy notice, update your ROPA, and potentially notify relevant DPAs.
Why do companies choose Croatia for GDPR representative services?
Croatia offers several advantages: full EU and eurozone membership, a competent DPA (AZOP), significantly lower costs than Western EU providers (30-50% savings), strong English proficiency among professionals, CET timezone alignment with both EU and US, and a growing ecosystem of experienced compliance service providers. There's no regulatory disadvantage — a Croatian representative has identical legal standing to one in any other EU member state.
Need a GDPR representative in the EU? Vision Compliance provides Article 27 representative services from Croatia, offering full regulatory coverage across all EU member states at competitive rates. Schedule a consultation to discuss your requirements.
Ivana Ludiga·Associate·mag. iur.
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.