When you do not need an EU representative

The exceptions are real but narrow

Most non-EU companies that serve the EU need a representative — see when a representative is required. But Article 27 does carve out genuine exceptions. There are three, and they are interpreted strictly.

1. The occasional-processing carve-out

Article 27(2)(a) exempts processing that is occasional, does not include large-scale processing of special categories of data (or criminal-offence data), and is unlikely to result in a risk to the rights and freedoms of individuals. All three conditions must hold.

“Occasional” means genuinely irregular — not a normal, ongoing part of how you operate. Regular analytics, a live signup flow open to EU users, or a steady trickle of EU sales is not occasional, even if the volume is modest.

2. Public authorities and bodies

Article 27(2)(b) exempts public authorities and bodies. If you are a government body, the representative requirement does not apply — though other GDPR obligations (a DPO, records of processing, handling data subject rights) very much do.

3. You have an EU establishment

Article 27 is for organisations without an EU establishment. If your processing is carried out in the context of a real establishment in the EU — effective activity through stable arrangements — then Article 3(1) governs instead, and the Article 27 representative obligation does not apply to that processing.

Common misconceptions

• “We only have a handful of EU users” — volume alone is not the test.
• “We don’t charge EU customers” — free services still count as offering services.
• “We’re a non-profit” — there is no general non-profit exemption.
• “Our site just happens to be reachable from the EU” — true, but targeting or monitoring changes the answer.

Not sure which side of the line you are on? The compliance checker walks you through the exceptions in under a minute.