EU GDPR Representative — everything you need to know

What is an EU representative?

An EU representative under Article 27 of the GDPR is a person or organisation established in the European Union, designated by a non-EU company to act as the official point of contact for data subjects and supervisory authorities. If your business processes the personal data of people in the EU — whether you are a Florida SaaS founder, a London e-commerce store, or a Singaporean mobile app — Article 27 likely requires you to have one.

The obligation flows from the GDPR’s territorial scope. Article 3(2) extends the regulation to controllers and processors outside the EU when they offer goods or services to people in the EU, or monitor their behaviour. Recital 80 then explains the representative’s purpose: to give authorities and individuals someone inside the EU to address, in their own jurisdiction and language.

The role has three core functions: serving as the point of contact, being available to data subjects exercising their rights, and cooperating with supervisory authorities. It is not the same as having an “EU presence” for tax or corporate purposes, and it is a different role from a data protection officer — a distinction we cover in what a representative actually does.

Who needs one — and who doesn’t

The simplest way to think about Article 27 is as a short decision tree that mirrors our compliance checker:

• A non-EU company that offers goods or services to people in the EU — paid or free.
• A non-EU company that monitors the behaviour of people in the EU, such as analytics, tracking, or profiling.
• A company whose processing of EU residents’ data is genuinely occasional, low-risk, and unlikely to involve special-category data may fall outside the obligation.
• Public authorities and bodies are exempt.

Typical companies that need one include:

• A US SaaS product with EU users or trial signups
• A UK e-commerce store shipping to the EU after Brexit
• A Singaporean mobile app with downloads in the EU
• An Australian marketing agency serving EU small businesses

If you are unsure, the carve-out for occasional processing is narrower than most people assume — it is the exception, not the rule.

What happens if you don’t have one?

A missing EU representative is a breach of the GDPR in its own right. Under Article 83, infringements can attract fines of up to €20 million, or 4% of total worldwide annual turnover, whichever is higher. The representative obligation sits in the tier of provisions that authorities take seriously.

In practice, an Article 27 violation rarely surfaces on its own. It is usually flagged during a broader investigation — a complaint, a data breach, or a data subject who cannot find anyone in the EU to contact. The absence of a representative is then an easy, documented deficiency to cite, and it signals to the authority that compliance was not taken seriously.

The indirect costs matter too: reputational damage, loss of customer trust, and the practical risk of being unable to operate smoothly in the EU market while the issue is unresolved.

What does an EU representative actually do?

An EU representative’s mandate under Articles 27 and 30 covers:

• Receiving data subject requests (DSARs) on your behalf
• Receiving inquiries from supervisory authorities
• Being named in, and helping maintain, the record of processing activities
• Cooperating with authorities during investigations
• Providing an EU point of contact for the service of process

Equally important is what a representative does not do:

• It does not replace your data protection officer
• It does not take legal responsibility off the controller
• It does not defend against fines on your behalf

This is why genuine representation matters. A real EU address rather than a virtual mailbox, a named individual who is accountable under EU law, and documented liability insurance are the difference between a box-ticking exercise and a representative an authority will actually recognise.

How to choose an EU representative service

Five criteria separate a real service from a mailbox with a logo:

1. Legal substance. Is there a real EU-based legal entity or named natural person, or just a forwarding address?
2. Pricing transparency. Are prices published, or hidden behind “contact sales”?
3. Self-service onboarding. Can you become compliant in minutes, or does it require a two-week sales cycle?
4. DSAR handling included. Will they actually receive and process requests, or simply forward everything to you?
5. Multilingual capability. Can they handle requests from EU residents in languages other than English?

Red flags worth avoiding:

• Anonymous “compliance services” with no named representative
• Prices below about €30/month — usually a virtual mailbox
• No published service levels
• No disclosure of insurance or legal substance

How much does an EU representative cost?

The market splits into rough tiers:

• Budget (€30–80/month): often a virtual address with limited or no request handling
• Standard (€99–250/month): real representation with DSAR handling
• Premium (€200–500/month): extended services, custom domains, multilingual support
• Enterprise (€500+): white-label and bespoke contracts

Usantis sits in the standard and premium tiers with transparent, public pricing: Standard at €99/month and Premium at €199/month, against competitors that commonly charge €150 and €400+ for comparable scope. See the full pricing breakdown.

How fast can you become compliant?

The whole process takes about ten minutes, entirely self-service, with no sales call:

1. Sign up and verify your email (1 minute)
2. Enter your company details (2 minutes)
3. Pass an automated sanctions check (1 minute)
4. Complete your compliance profile (2 minutes)
5. Check out via Stripe (1 minute)
6. Sign your power of attorney (about a minute)
7. Embed your trust badge (1 minute)

After activation, several things happen automatically:

• Your hosted compliance page is generated
• Your trust badge is generated
• A welcome kit with implementation guides is emailed to you
• A privacy-policy snippet naming your representative is provided
• A compliance crawler verifies your embed within seven days

What happens when an EU citizen contacts your representative?

When someone in the EU exercises their rights, the request flows through a tracked workflow so nothing is missed:

1. The person submits a request via your hosted form or by email
2. We verify their identity (email, and an ID document where appropriate)
3. We translate non-English requests (machine translation with review where sensitive)
4. We forward it to you with the deadline tracked
5. You respond in your dashboard
6. We translate your response back into the person’s language
7. The full exchange is preserved in an append-only audit log

Our service levels: acknowledgement within 24 hours, identity verification within 48 hours, and the statutory window of up to 30 days for your response (extendable by a further 60 days in genuinely complex cases).

Explore in depth

Each of these topics has its own detailed guide. We are publishing them progressively; links activate as each guide goes live.

Frequently asked questions