Usantis

Penalties for not having an EU representative

Failing to appoint an EU representative is a GDPR breach in its own right. Here is how the Article 83 fine framework applies and why the gap is so easy for an authority to document.

A missing representative is a breach in itself

Appointing an EU representative is a legal obligation under Article 27 GDPR, not a best practice. Failing to do so is an infringement that a supervisory authority can act on directly — independently of whether anything else has gone wrong with your data processing.

Which fine tier applies

The GDPR has two fine tiers under Article 83. The representative obligation sits in the lower of the two:

  • Article 83(4) — up to €10M or 2% of worldwide annual turnover: applies to the obligations in Articles 25–39, which include the Article 27 representative duty.
  • Article 83(5) — up to €20M or 4%: applies to breaches of the basic principles, data subject rights, and international transfer rules.

So a pure Article 27 failure is a “2% tier” matter. In reality it is rarely pure — see below.

Why it rarely appears alone

An Article 27 violation almost never surfaces by itself. It is uncovered during a broader process — a data subject complaint, a breach notification, or an audit — when an authority or an individual goes looking for someone in the EU to contact and finds no one.

At that point the missing representative becomes an easy, documented deficiency to cite, and it colours how the authority views everything else. It signals that compliance was not taken seriously, which can push the assessment of the surrounding (often higher-tier) breaches toward the harsher end of the scale.

The indirect costs

Beyond any fine, operating without a representative carries costs that are harder to quantify but often larger:

  • Disruption to your ability to serve the EU market while the gap is unresolved
  • Reputational damage if an enforcement action becomes public
  • Loss of trust from EU customers and B2B partners who run vendor due diligence
  • Management time and legal fees spent reacting instead of preventing

The asymmetry

The economics are lopsided. Compliance costs €99/month and about ten minutes of setup. The downside of being caught without representation ranges from a 2%-tier fine to lost EU market access and reputational harm. For almost any company serving the EU, closing the gap is the obviously rational choice.

If you are not sure whether the obligation applies to you, start with when a representative is required.

Frequently asked questions

Related guides

When a representative is required

The Article 27 triggers — offering goods/services to, or monitoring, people in the EU.

Representative vs. DPO

Two different roles that are often confused. When you need one, the other, or both.

Cost & pricing

What the market charges, what drives the price, and the hidden costs to watch for.

Back to the EU GDPR representative guide

Last updated 2026-05-23.

Get your EU representative in about ten minutes

€99/month, fully self-service, with DSAR handling and a hosted compliance page included.

Start your setupCompare pricing