EU representative vs. Data Protection Officer
The Article 27 representative and the Article 37 data protection officer are routinely confused. They are different roles with different triggers — and you may need one, the other, or both.
Two roles that are easy to confuse
The EU representative and the data protection officer (DPO) are both GDPR roles with the word “contact” attached, which is why they get mixed up. They are, however, entirely separate — different legal bases, different triggers, and different jobs. You may need one, the other, or both.
What the EU representative does
The EU representative under Article 27 is your designated point of contact inside the EU. It exists so that supervisory authorities and data subjects have someone in their own jurisdiction to address instead of a company on another continent. It receives requests and inquiries, is named in your privacy policy, and cooperates with authorities.
What the DPO does
The data protection officer under Articles 37–39 is an advisory and oversight role. A DPO informs and advises the organisation on its GDPR obligations, monitors compliance, acts as a contact point for the supervisory authority, and must be able to operate independently without instruction on how to perform the role.
A DPO is mandatory only when you meet specific criteria:
- You are a public authority or body, or
- Your core activities require large-scale, regular and systematic monitoring, or
- Your core activities involve large-scale processing of special-category data
Side by side
| EU representative | Data protection officer | |
|---|---|---|
| Legal basis | Article 27 | Articles 37–39 |
| Purpose | EU point of contact for authorities & data subjects | Advises on and monitors compliance |
| Location | Established in the EU | Anywhere; must be reachable |
| Who needs it | Non-EU orgs in scope of Art. 3(2) | Orgs meeting Art. 37 criteria |
| Relationship | Can be an external provider | Internal or external; independent |
| Replaces the other? | No | No |
One, the other, or both?
A non-EU SaaS company with EU users but no large-scale sensitive processing typically needs a representative and no DPO. A non-EU health platform doing large-scale special-category processing may need both. An EU-established company may need a DPO and no representative. The two questions are independent — answer them separately.
To check whether the representative obligation applies to you, see when a representative is required.
Frequently asked questions
Related guides
When a representative is required
The Article 27 triggers — offering goods/services to, or monitoring, people in the EU.
Penalties for non-compliance
How Article 83 fines apply and why a missing representative is an easy finding for a DPA.
Cost & pricing
What the market charges, what drives the price, and the hidden costs to watch for.
Last updated 2026-05-23.
Get your EU representative in about ten minutes
€99/month, fully self-service, with DSAR handling and a hosted compliance page included.