.svg){kind=logo}
There is a GDPR obligation that millions of non-EU businesses are silently violating right now, and most of them have no idea.
Article 27 of the GDPR requires any organisation outside the European Union that collects or processes personal data from EU residents to appoint a designated EU representative. It is not optional. It is not a technicality. It is a hard legal requirement, and supervisory authorities across Europe are actively identifying and pursuing companies that ignore it.
What makes this obligation particularly easy to miss is that it does not involve a registration process or government notification. Nobody sends you a reminder. You just have to know it applies to you and comply.
Post-Brexit, UK businesses now face the same requirement in reverse: if you're a UK company processing personal data of EU residents, you need an EU representative. And if you're an EU company processing personal data of UK residents, you need a UK representative.
This guide covers everything you need to know about the GDPR EU representative requirement in plain language, without the legal padding:
- What Article 27 actually requires and what a representative does
- Who needs to appoint one (and who is exempt)
- The difference between an EU rep, a UK rep, and a DPO
- A step-by-step appointment guide
- How to find and evaluate a representative service
- The real penalties for non-compliance
- Answers to the questions businesses ask most
Not sure if your business needs an EU representative? ComplyJet helps SaaS companies and growing businesses figure out exactly where they stand with GDPR and fix the gaps fast.
Check your compliance status for free.
What Is a GDPR EU Representative? (Article 27 Explained)
An EU representative under Article 27 of the GDPR is a person or organisation established inside the European Union who acts as a named local contact point on behalf of a non-EU controller or processor. They are the entity that EU data subjects and supervisory authorities can reach when they need to contact your organisation about how you handle personal data.
The GDPR uses the term in Article 27(1): controllers and processors not established in the Union who fall within the scope of Article 3(2) "shall designate in writing a representative in the Union."
Why Does This Requirement Exist?
Before GDPR came into force in May 2018, EU data protection authorities had a genuine problem. They could identify overseas companies that were processing EU residents' data unlawfully, but reaching them and enforcing against them was slow, expensive, and often fruitless. Article 27 is the EU's solution to that problem. By requiring a local EU-based contact, supervisory authorities gain a reachable, enforceable point of contact within their jurisdiction.
Think of the representative as a compliance mailbox with legal standing that your regulators can actually get hold of.
What Does a GDPR EU Representative Actually Do?
The role is largely defined by receiving and forwarding communications. Specifically, the representative:
- Is named in your privacy notices under Articles 13(1)(a) and 14(1)(a), so data subjects know who to contact in the EU
- Receives communications from EU supervisory authorities (data protection regulators) on your behalf
- Handles or forwards Data Subject Access Requests (DSARs) directed to your organisation by EU residents
- Maintains records of your processing activities under Article 30, or at a minimum, holds and provides access to those records
- Cooperates with supervisory authorities under Article 31 when requested
One critical point: appointing a representative does not transfer your legal liability. Your organisation, the controller or processor, remains fully responsible for GDPR compliance. Enforcement can and will be initiated against you directly, even after a representative is in place. The representative is not a liability shield. They are a communication conduit.
EU Representative vs. Data Protection Officer: Two Very Different Roles
This is one of the most common points of confusion, and it matters because confusing them leads to non-compliance.
The DPO is an internal compliance watchdog. The EU representative is an external contact address. They serve completely different purposes, and one cannot substitute one for the other.
There was a real enforcement case that illustrated the seriousness of this distinction. In May 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) fined Locatefamily €525,000 specifically for failing to appoint an EU GDPR representative, one of the first major enforcement actions targeting this exact obligation. The company had no EU establishment and no representative in place. That €525,000 fine was not for a data breach. It was purely for missing the Article 27 requirement.
Pro Tip: Check your current privacy policy right now. Does it list the name and contact details of an EU representative? If your company is based outside the EU and your privacy policy doesn't include this information, that gap is visible to any supervisory authority, and it flags you immediately as a non-compliant organisation.
Who Needs to Appoint an EU GDPR Representative?
You need to appoint an EU GDPR representative if all of the following are true:
1. Your organisation is not established in the EU. This means you have no branch, registered office, subsidiary operating as part of your business, or other stable arrangement carrying out real activity in the EU. Owning servers in the EU or having EU customers does not make you "established" there.
2. You process personal data of individuals who are in the EU. Note: this is about where the data subjects are located at the time of processing, not their citizenship or nationality.
3. That processing is related to either:
- Offering goods or services to EU data subjects (paid or free, both count), or
- Monitoring the behaviour of EU data subjects (analytics, tracking cookies, behavioural profiling, etc.)
This scope is deliberately broad. If your website has EU visitors and you collect their email addresses, track their behaviour with cookies, or offer them any product or service, you are in scope.
Practical Examples of Who Qualifies
A US-based SaaS company with EU business customers: Almost certainly in scope. Even if you sell to businesses, you process the personal data of the individuals at those businesses (names, email addresses, usage data).
An Australian e-commerce store that ships to Germany: In scope. Offering goods to EU data subjects, collecting names, addresses, and payment data.
A Canadian mobile app available in EU app stores: In scope if EU users download it and the app collects personal data.
A UK company (post-Brexit) serving French customers: In scope for EU GDPR purposes, the UK is no longer an EU member state, so UK businesses need an EU rep.
The EU Subsidiary Question
This comes up constantly, and it causes genuine confusion.
If a US company has a fully separate EU subsidiary, a distinct legal entity operating under its own structure, that subsidiary is established in the EU and does not need to appoint a representative. But the US parent company, if it separately processes EU personal data (via its own website, its own apps, its own services), may still need to appoint one.
The key question is whether the US parent is operating at arm's length from the subsidiary through a services or distribution agreement. If yes, the US parent is not using the subsidiary as its own establishment. It remains a non-EU entity for Article 27 purposes and must appoint a representative.
Who Is Exempt from Article 27?
Three categories of organisations are exempt:
1. Public authorities and government bodies. This exemption is narrow and does not apply to private companies doing business with governments.
2. Organisations already established in an EU member state. If you have a genuine establishment in the EU, Article 27 does not apply; Article 56 applies instead (identifying your lead supervisory authority).
3. Organisations where all three of the following are true:
- Processing is occasional only (not regular or systematic)
- Processing does not include large-scale special category data (health, biometric, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, etc.) or criminal offence data
- Processing is unlikely to result in a risk to the rights and freedoms of individuals
All three criteria must be met simultaneously. Meeting two out of three does not qualify you for the exemption. If your processing is regular, which it is for virtually any SaaS company, e-commerce business, or app, the occasional processing exemption almost certainly does not apply to you.
Pro Tip: If your website uses Google Analytics, Facebook Pixel, or any other behavioural tracking tool that captures EU visitors' data and whose data is regularly collected, you are not processing "occasionally." The exemption is much narrower than most businesses assume. If in doubt, appoint a representative. The cost of the representative is a fraction of the cost of a fine.
Not sure whether Article 27 applies to your business? ComplyJet helps SaaS companies and growing businesses assess their GDPR obligations and build compliant programs from the ground up. Book a free consultation
What Does a GDPR EU Representative Do? (The Full Picture)
Let's be precise about the scope of the role, because misunderstanding it creates compliance gaps.
Named Contact in Privacy Notices
Under Articles 13 and 14, when you collect personal data directly from EU data subjects or indirectly from other sources, you must provide them with specific information, including the identity and contact details of your EU representative. This is not optional information in your privacy policy. It is a mandatory disclosure. If your privacy policy currently lists only your US/UK/Australian headquarters address with no EU representative, it is non-compliant with Articles 13 and 14 as well as Article 27.
Communication Point for Supervisory Authorities
EU data protection authorities, the ICO, CNIL, BfDI, DPC, and others can and do reach out to organisations they have questions or concerns about. If your organisation is outside the EU and has no representative, those regulators have no obvious point of contact inside their jurisdiction. They may still try to reach you directly, but the absence of a representative is itself a violation that they can act on, as demonstrated by the Locatefamily.com fine.
With a representative in place, supervisory authorities can communicate efficiently, conduct enquiries, and request cooperation without international enforcement complications.
Handling Data Subject Requests
EU residents have a range of rights under GDPR: access, rectification, erasure, restriction, portability, and objection. They can direct requests to either the controller/processor directly or to the EU representative. Your representative should have a clear process for receiving these requests and ensuring they are forwarded to your internal team promptly, with enough time remaining in the one-month statutory response window.
Maintaining Records of Processing Activities
Article 30 requires controllers and processors to maintain records of their processing activities. For non-EU controllers, the EU representative must also maintain access to these records and be able to make them available to supervisory authorities on request. This means your representative needs to actually understand your processing activities, not just hold a piece of paper.
Cooperation with Supervisory Authorities
Under Article 31, your representative must cooperate with supervisory authorities when requested. This is the active duty that gives regulators their enforcement reach inside the EU.
What the Representative Cannot Do
The representative is not a GDPR compliance manager. They cannot substitute for having a proper data protection program. They are not required to give you legal advice (and most are not providing it). They cannot be held liable for your GDPR violations, only for their own failure to fulfil the representative's specific obligations. Their role is to be reachable and responsive. The compliance work remains yours.
Pro Tip: When you formally appoint a representative, give them a complete and current Record of Processing Activities (ROPA) under Article 30. This is the document they will be asked to produce if a supervisory authority investigates. A representative who has never seen your ROPA cannot cooperate meaningfully, and that gap can make an investigation worse, not better.
EU GDPR Representative vs. UK GDPR Representative: What's the Difference?
Brexit created a compliance split that many businesses still haven't fully worked through. Understanding it is essential.
What Is the UK Version of GDPR Called?
The UK version of GDPR is called "UK GDPR." When the UK left the European Union, it incorporated the EU GDPR into domestic law via the European Union (Withdrawal) Act 2018, creating a UK-specific version that sits alongside the Data Protection Act 2018. The two regimes are substantially similar, but they are now separate legal frameworks, enforced by separate regulators, with separate requirements.
In the EU, the GDPR is enforced by national supervisory authorities (ICO in Ireland, CNIL in France, BfDI in Germany, DPC in Ireland, and so on), coordinated by the European Data Protection Board (EDPB).
In the UK, the UK GDPR is enforced by the Information Commissioner's Office (ICO).
Two Separate Article 27 Requirements
Both the EU GDPR and the UK GDPR contain Article 27, requiring non-established organisations to appoint a local representative. This means:
- A US company processing EU residents' data: needs an EU representative based in an EU member state
- A US company processing UK residents' data: needs a UK representative based in the UK
- A US company processing both EU and UK residents' data: needs both, and they must be separate entities in separate jurisdictions
This is the post-Brexit compliance reality that a significant number of businesses have not yet addressed. An EU representative cannot serve as your UK representative. They are established in different jurisdictions, under different regulatory regimes, and accountable to different authorities.
The Position of UK Businesses Post-Brexit
Before 31 January 2020, a UK company processing EU residents' data was an EU-established entity, with no representative needed. Post-Brexit, UK companies are third-country organisations for EU GDPR purposes. If they continue to offer goods or services to EU residents or monitor EU residents' behaviour, they now need an EU representative.
Many UK businesses made the transition to Brexit compliance for data transfers, Standard Contractual Clauses, and adequacy decisions, but missed the Article 27 representative requirement entirely. Regulators in France, Germany, and the Netherlands, in particular, have been tightening their monitoring of this.
EU vs. UK GDPR Representative Side by Side
If your organisation serves customers in both the EU and the UK, which is common for US and Asian companies, you almost certainly need both.
Pro Tip: Don't assume your EU representative service automatically covers UK GDPR. Most specialist providers offer both EU and UK representative services, but they are separate products with separate fees. Check your existing contract. If it only mentions EU GDPR, you likely have a gap on the UK side.
EU GDPR Representative Requirements Step by Step
This is the practical section most guides skip. Here is exactly how to get compliant with Article 27.
Step 1: Assess Whether Article 27 Applies to You
Before appointing anyone, confirm the requirement applies. Ask yourself:
- Does my organisation have any physical establishment, office, branch, or registered entity actively carrying out business in any EU member state? If yes, Article 27 does not apply; Article 56 applies instead.
- Do I collect or process personal data of individuals who are located in the EU?
- Is that processing related to offering goods/services to EU residents, or monitoring their behaviour?
- Does the occasional processing exemption realistically apply? (Remember: all three criteria must be met simultaneously, occasional, no large-scale special category data, and unlikely to cause risk.)
If you confirm that you are in scope, move to step two.
Step 2: Choose Your Representative
Your representative can be a person or a company. They must be established in an EU member state where at least some of the data subjects you process are located. Article 27(3) does not require you to pick a specific member state, but the representative must be reachable within the EU.
Your options in practice are:
- An EU subsidiary or affiliate. If you have a related entity in the EU that is operationally connected to you, you can appoint them. This is the cheapest option and works well where the subsidiary is already involved in your EU operations. However, be careful: this works best when the subsidiary is capable and willing to handle regulatory enquiries properly. Designating a subsidiary that then does nothing with incoming data subject requests adds compliance risk rather than reducing it.
- A specialist GDPR representative service. Several dedicated providers offer Article 27 representative services; these are companies whose core business is acting as EU GDPR representatives for non-EU organisations. They are experienced with supervisory authority communications, maintain processes for handling DSARs, and operate across all EU member states. For most small and mid-sized businesses, this is the most practical choice.
- A law firm. Possible, but comes with complications. As the IAPP's Baker McKenzie analysis notes, acting as a representative is not "the practice of law," which creates issues around insurance coverage, attorney-client privilege, and professional conduct rules. Law firms also face conflict-of-interest risks that individual attorneys managing the representative mandate alongside client advice work. Tread carefully.
- Your DPO (if you have one). The same person or entity can serve as both your DPO and your Article 27 representative, but only if there is no conflict of interest. Given that the DPO must act independently under Article 38(3) while the representative operates under your direct mandate, this combination can create tension in practice.
- You cannot appoint yourself as your own EU representative if your organisation is not established in the EU. The representative must be an EU-based entity separate from your non-EU business.
Step 3: Formally Appoint in Writing
Article 27 requires the designation to be "in writing." An informal email is unlikely to satisfy this. You should execute a formal written mandate or service agreement that specifies:
- The scope of the representative's authority
- How they will receive and handle communications from supervisory authorities and data subjects
- Their access to your Records of Processing Activities
- Your obligations to the representative (prompt responses, updated information, cooperation)
- Termination procedures
The appointment does not limit legal action against your organisation. Article 27(5) explicitly confirms that the representative arrangement does not affect legal proceedings against you directly.
Step 4: Update Your Privacy Notices
This step is where compliance becomes visible. Under Articles 13(1)(a) and 14(1)(a), your privacy notice must include the name and contact details of your EU representative. This is mandatory information, not optional disclosure.
Update every privacy policy that applies to EU residents to include:
- The representative's full legal name
- Their address in the EU member state where they are established
- A direct contact email address
Data subjects must be able to contact the representative directly. The contact details should be functional and monitored.
Step 5: Maintain Records and Keep Information Current
Provide your representative with a current, complete Record of Processing Activities (ROPA). When your processing activities change, new data categories, new purposes, or new third-party processors, update your representative promptly. Their ability to cooperate meaningfully with supervisory authorities depends entirely on having accurate, current information from you.
Review your representative arrangement at least annually. Representative services change, fees evolve, and your processing activities are likely to grow over time.
Pro Tip: Build your representative's contact details into your privacy notice template, not just your published privacy policy. If you have multiple products, apps, or services with separate privacy notices, each one needs the representative's details. Missing them from even one notice is a standalone compliance gap.
Need help getting your GDPR representative set up right? ComplyJet supports SaaS companies and growing businesses through every step of GDPR compliance, including the obligations most teams don't even know they have. Start your free trial
How to Find a GDPR EU Representative Service
Once you know you need a specialist representative service, the next question is how to evaluate the options. Not all services are equal, and choosing poorly can leave you with a compliance gap even after you think you've solved the problem.
Here is what to look for.
Coverage Across All 27 EU Member States
Article 27(3) says the representative must be established in a member state where some of your data subjects are located. If your data subjects are spread across France, Germany, the Netherlands, Poland, and Spain, and your representative is only established in Malta, you have a problem.
The best practice is to choose a representative service with genuine presence or legal establishment across all 27 EU member states, or at a minimum, the specific member states where your data subjects are concentrated. Many smaller providers cover only a few countries. Check this explicitly before signing.
Response Times for Data Subject Requests
EU residents have a statutory right to a response to their access requests within one calendar month. Your representative receives those requests and must forward them to you with enough time for you to prepare a response. If your representative takes a week to forward a request, you have three weeks left to respond, not four.
Look for a provider that commits to acknowledging and forwarding data subject requests on the next business day at the latest. Some offer same-day acknowledgement. This is not a minor operational detail; it directly affects your legal compliance.
Unlimited Communications
Some representative services cap the number of data subject requests or supervisory authority communications included in their annual fee. Above the cap, you pay per contact. For businesses that process significant volumes of EU personal data, this creates unpredictable costs and a perverse incentive to minimise engagement.
Look for a provider that offers unlimited communications within the annual fee. You cannot predict how many DSARs or regulatory enquiries you'll receive in a given year; your representative service should not penalize you for receiving them.
Real GDPR Expertise
There is a meaningful difference between a service that understands GDPR and a service that acts as a post box. When a supervisory authority sends an enquiry, your representative needs to understand what's being asked, handle it appropriately, and communicate clearly with the regulator. A service staffed by people with no genuine GDPR background will struggle in any situation beyond a routine data subject request.
Ask prospective providers about their experience handling supervisory authority enquiries directly. Have they dealt with investigations? What does their escalation process look like when something complex comes in?
Track Record with Supervisory Authorities
There are now six years of GDPR enforcement history. Ask providers whether they have experience with specific national DPAs, what kinds of enquiries they have handled, and whether they have navigated formal investigations on behalf of clients. Experience with German, French, and Irish regulators in particular is valuable, given the volume of enforcement activity those authorities generate.
Types of Providers to Consider
Specialist GDPR representative firms: Companies built specifically for this purpose, offering services across the EU (and often the UK and Switzerland). DataRep is the best-known example. These firms handle representative mandates as their primary business, which generally translates to well-developed processes and genuine regulatory experience.
Global compliance platforms: Larger compliance software and advisory businesses that offer representative services as part of a broader GDPR compliance offering. Often a good fit if you also need help with data mapping, DSAR management, or GDPR program management.
Privacy law firms with representative practices: As noted above, this comes with complexity around professional responsibilities and privilege. More suitable for large organisations with sophisticated legal relationships than for SMBs or startups.
How Much Does a GDPR EU Representative Service Cost?
Pricing varies widely depending on the provider, the scope of coverage, and the volume of communications expected. As a general range:
Basic annual representative services for small businesses typically start around €200–€500 per year for EU coverage. Mid-market services with broader coverage and additional features (UK GDPR, unlimited DSARs, more member states) typically run €500–€2,000 per year. Enterprise or multi-jurisdiction arrangements can go higher.
Compared to the potential fine for non-compliance up to €10 million or 2% of global annual turnover, even the higher end of representative service costs is a fraction of the risk exposure.
Pro Tip: Get the representative service to specify in writing which EU member states they are actually established in, not just which ones they claim to cover. Some providers handle certain jurisdictions through network partners or informal arrangements rather than legal establishment. This distinction matters if a supervisory authority in that country initiates formal contact.
Penalties for Not Appointing a GDPR EU Representative
Article 27 is not a procedural nicety. Failure to comply is a direct GDPR violation, enforceable by any EU supervisory authority with jurisdiction.
The Fine Structure
Article 83(4)(a) of the GDPR provides that failure to designate a representative in accordance with Article 27 is subject to administrative fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher.
This is Tier 1 of the GDPR fine structure, the same tier that covers failures to notify a data breach within 72 hours, failures to maintain records of processing activities, and failures to conduct adequate data protection impact assessments. It is a serious category of violation.
The €525,000 Fine That Should Have Woken Everyone Up
In May 2021, the Dutch Data Protection Authority fined Locatefamily.com €525,000 for failing to appoint an EU GDPR representative. Locatefamily.com was a people-search website that processed significant amounts of personal data of EU residents while operating without any EU establishment. The Dutch DPA investigated, found no representative in place, and issued the fine.
This was a landmark enforcement action for Article 27 specifically. Before this, many businesses knew about the representative requirement but treated it as a theoretical risk that regulators would never actually pursue. The Locatefamily.com case ended that assumption.
Growing Regulatory Attention
Since 2021, EU supervisory authorities have been paying closer attention to Article 27 compliance. Regulators have multiple tools for identifying non-EU businesses that process EU residents' data: privacy policy reviews, complaint-driven investigations, market surveillance, and data from the organisations themselves that have filed notifications with some authorities.
The Netherlands, Germany, and France, in particular, have demonstrated a willingness to pursue overseas companies. The UK ICO has similarly indicated increased attention to non-UK organisations' compliance with UK GDPR's Article 27 requirement.
Beyond the Fine: Commercial Consequences
Regulatory fines are not the only consequence of missing the representative requirement. In practice:
Reputational damage: GDPR enforcement actions are public. A fine for failing to appoint a representative signals to EU customers and business partners that your organisation does not take data protection seriously. For SaaS companies trying to close enterprise deals in Europe, this kind of public record is a commercial liability.
Loss of EU market access: In extreme cases, particularly where a supervisory authority determines that a business poses an ongoing risk to EU data subjects, authorities can order the suspension of processing activities. This effectively means being shut out of the EU market until compliance is demonstrated.
Complications with enterprise sales: Large EU organisations conducting vendor due diligence will check your privacy policy and GDPR compliance posture. A missing EU representative is the kind of gap that kills procurement processes.
Pro Tip: After you appoint your representative and update your privacy notices, do a Google search for your company's privacy policy and check what version appears in search results. Cached or old versions of your privacy policy without the representative's details can still be surfaced to regulators and prospects. Make sure the current, compliant version is indexed and accessible.
Managing GDPR compliance across multiple obligations? ComplyJet gives SaaS teams a single platform to handle GDPR, SOC 2, ISO 27001, and more with expert support included. Book a demo and see how it works
Frequently Asked Questions
What does an EU representative mean under GDPR?
An EU representative is a person or organisation established inside the EU who acts as the named local contact point for a non-EU controller or processor. They receive communications from data subjects and supervisory authorities on your behalf and maintain access to your records of processing activities.
What is Article 27 representative of the GDPR?
Article 27 is the GDPR provision that requires non-EU organisations to formally designate an EU-based representative in writing. That appointed person or entity is the "Article 27 representative" named in your privacy notices and accountable to EU regulators as your local point of contact.
Is a GDPR representative the same as a Data Protection Officer (DPO)?
No, they are entirely different roles. The EU representative is an external contact point for regulators and data subjects, operating under your instructions. The DPO is an independent internal compliance expert. One cannot substitute for the other, and not all organisations that need a representative also need a DPO.
What is the UK version of GDPR called?
It is called "UK GDPR." When the UK left the EU, it incorporated the EU GDPR into domestic law via the European Union (Withdrawal) Act 2018. It is enforced by the UK ICO and requires non-UK organisations processing UK residents' data to appoint a separate UK-based representative under its own Article 27.
Can a company act as its own EU representative?
Not unless it has a genuine establishment inside the EU. A non-EU company can appoint an EU subsidiary to act as its representative, but that subsidiary must be operationally capable of handling communications and records, not just named on paper.
How much does an EU GDPR representative service cost?
Basic services for small businesses typically start at €200–€500 per year. Broader coverage, including UK GDPR and unlimited communications, usually runs €500–€2,000 annually. That cost is a fraction of the potential €10 million fine for non-compliance.
Do I need both an EU and a UK GDPR representative?
Yes, if you process personal data of both EU and UK residents and are established in neither jurisdiction. They must be separate appointments; an EU representative cannot cover UK GDPR obligations, and vice versa. Many specialist providers offer both, but check your contract confirms it explicitly.
What happens if I appoint a representative and then a supervisory authority investigates me anyway?
Appointing a representative does not shield you from investigation or fines. Article 27(5) makes clear that enforcement can still be taken against you directly. The representative makes it easier for regulators to communicate with you, but it does not provide any immunity from the outcome.
Wrapping Up
Article 27 of the GDPR is one of the most overlooked compliance obligations in the regulation and one of the easiest to fix.
If your organisation is based outside the European Union and you collect or process personal data of EU residents in connection with offering them goods or services, or monitoring their behaviour, you are required to appoint an EU GDPR representative. In writing. Named in your privacy notices. Capable of receiving and acting on communications from regulators and data subjects.
Post-Brexit, UK businesses face the same requirement for EU processing. And EU businesses face the equivalent requirement under UK GDPR for UK processing. Two separate regimes, enforced by separate authorities, with separate fines for non-compliance.
The good news is that fixing this is straightforward. Assess whether you're in scope. Choose a qualified representative, ideally a specialist service with a genuine EU-wide presence. Appoint them formally in writing. Update your privacy notices. Provide them with your records of processing activities. Done.
The €525,000 fine issued to Locatefamily.com in 2021 was not for a breach. Not for unlawful processing. Not for ignoring a data subject's rights. It was simply for not having an Article 27 representative in place. That is a preventable outcome, and now you have everything you need to prevent it.
Ready to get your GDPR compliance in order, including Article 27? ComplyJet helps SaaS companies and growing businesses build complete GDPR compliance programs, fast. From data mapping to representative requirements to breach response, we handle the full journey. Book a free demo and see how quickly you can get compliant
