Does this tool produce a binding determination?

No. It applies GDPR Article 27, the Article 3(2) targeting test, and EDPB Guidelines 3/2018 to your answers and returns a structured assessment. Whether you have an establishment, whether processing is occasional or large scale, and whether it is likely to result in a risk are judgement calls for your organisation and its DPO or legal counsel. The EDPB reads the exemption narrowly, so when in doubt, treat the obligation as applying.

What is an EU (Article 27) representative?

A representative is a person or organisation established in the EU/EEA that a non-EU controller or processor designates in writing to act as its local point of contact for supervisory authorities and data subjects on data-protection matters. It is not the same as a Data Protection Officer, and a processor cannot act as the EU representative for a controller it processes for.

When does the Article 27 obligation arise?

When Article 3(2) applies: you are a controller or processor without an EU/EEA establishment, and your processing relates either to offering goods or services to people in the Union or to monitoring their behaviour in the Union. If you have a genuine EU/EEA establishment, Article 3(1) applies instead and no Article 27 representative is required.

Who is exempt from designating a representative?

Public authorities and bodies are exempt under Article 27(2)(b). There is also a narrow exemption under Article 27(2)(a) for processing that is occasional, does not include large-scale special-category or criminal-offence data, and is unlikely to result in a risk to rights and freedoms. All three conditions must hold, and the EDPB interprets them narrowly.

Is a representative the same as a Data Protection Officer?

No. A DPO advises on and monitors GDPR compliance and must act independently, whereas a representative is a mandated local EU/EEA contact point for a non-EU organisation. You can need one, both, or neither, depending on your circumstances. The EDPB considers that the representative function is not compatible with the role of a DPO, because the representative acts under the organisation's mandate while the DPO must be independent, so the same person should not hold both roles.

What happens if I should have a representative but do not designate one?

Failing to designate a representative where Article 27 requires one is an infringement of the GDPR that a supervisory authority can act on, including with corrective measures and fines. The representative itself can also be addressed by authorities and data subjects, which is part of why the obligation exists.

Free tool

GDPR EU representative checker

Answer eight questions to assess whether your organisation is likely to need to designate an EU representative under GDPR Article 27. Built for controllers and processors based outside the EU/EEA. Based on Article 27, the Article 3(2) targeting test, and EDPB Guidelines 3/2018. A structured assessment, not legal advice.

Based on GDPR Articles 27 and 3(2) and EDPB Guidelines 3/2018 on territorial scope.

Primary sources

Jurisdiction: EU/EEA. Instrument: Regulation (EU) 2016/679 (GDPR), Articles 27 and 3(2), as in force on the dates below and extended to the EEA.

Regulation (EU) 2016/679 (GDPR), Articles 27 and 3 (EUR-Lex) (Last verified 2026-06-05)
EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), final version 2.1, adopted 12 November 2019 (Last verified 2026-06-05)

Frequently asked questions

Does this tool produce a binding determination?: No. It applies GDPR Article 27, the Article 3(2) targeting test, and EDPB Guidelines 3/2018 to your answers and returns a structured assessment. Whether you have an establishment, whether processing is occasional or large scale, and whether it is likely to result in a risk are judgement calls for your organisation and its DPO or legal counsel. The EDPB reads the exemption narrowly, so when in doubt, treat the obligation as applying.
What is an EU (Article 27) representative?: A representative is a person or organisation established in the EU/EEA that a non-EU controller or processor designates in writing to act as its local point of contact for supervisory authorities and data subjects on data-protection matters. It is not the same as a Data Protection Officer, and a processor cannot act as the EU representative for a controller it processes for.
When does the Article 27 obligation arise?: When Article 3(2) applies: you are a controller or processor without an EU/EEA establishment, and your processing relates either to offering goods or services to people in the Union or to monitoring their behaviour in the Union. If you have a genuine EU/EEA establishment, Article 3(1) applies instead and no Article 27 representative is required.
Who is exempt from designating a representative?: Public authorities and bodies are exempt under Article 27(2)(b). There is also a narrow exemption under Article 27(2)(a) for processing that is occasional, does not include large-scale special-category or criminal-offence data, and is unlikely to result in a risk to rights and freedoms. All three conditions must hold, and the EDPB interprets them narrowly.
Is a representative the same as a Data Protection Officer?: No. A DPO advises on and monitors GDPR compliance and must act independently, whereas a representative is a mandated local EU/EEA contact point for a non-EU organisation. You can need one, both, or neither, depending on your circumstances. The EDPB considers that the representative function is not compatible with the role of a DPO, because the representative acts under the organisation's mandate while the DPO must be independent, so the same person should not hold both roles.
What happens if I should have a representative but do not designate one?: Failing to designate a representative where Article 27 requires one is an infringement of the GDPR that a supervisory authority can act on, including with corrective measures and fines. The representative itself can also be addressed by authorities and data subjects, which is part of why the obligation exists.

By ISMS Copilot. Based on GDPR Articles 27 and 3(2) and EDPB Guidelines 3/2018 on territorial scope.

Ready to do compliance work faster?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0