When do you need an EU representative?
Article 27 GDPR ties the obligation to two triggers in Article 3(2): offering goods or services to people in the EU, and monitoring their behaviour. Here is how to tell whether your company is caught.
The two triggers in Article 3(2)
The EU representative obligation does not depend on where your company is incorporated. It depends on what you do. Article 3(2) GDPR extends the regulation to organisations outside the EU in two situations, and either one is enough to require a representative under Article 27:
- Offering goods or services to people who are in the EU — whether or not payment is required.
- Monitoring the behaviour of people while they are in the EU, where that behaviour takes place within the EU.
Note the wording: it is about people in the EU, not EU citizens. A US tourist browsing your site from their home in Texas is not in scope; an American living in Berlin is.
What counts as “offering goods or services”
A website being merely accessible from the EU is not enough on its own. What matters is whether you are targeting people in the EU. Authorities look at signals such as:
- Using an EU language or currency that is not your home market’s
- Mentioning EU customers, EU countries, or EU-specific shipping
- Offering delivery to or pricing for EU member states
- Running EU-targeted marketing or using an EU country-code domain
A single one of these can tip you into scope. If EU residents can sign up, subscribe, or buy, and you do nothing to exclude them, you are almost certainly offering services to the EU.
What counts as “monitoring behaviour”
Monitoring is broader than many founders expect. It includes tracking people across the web, behavioural advertising, analytics that profile users, and any technique that observes what people do in order to make decisions or predictions about them.
If you run analytics, retargeting pixels, or any form of profiling on visitors who are in the EU, the monitoring trigger likely applies — even if you never sell them anything.
The establishment exception
Article 27 is for organisations without an establishment in the EU. If your processing is carried out in the context of an EU establishment — a subsidiary, branch, or stable arrangement that does real processing — then Article 3(1) applies instead, and you do not separately appoint an Article 27 representative for that processing.
A mailbox or a dormant holding entity is not an establishment. The test is whether there is effective and real activity through stable arrangements.
A quick self-check
If you are a non-EU company and any of the following is true, you very likely need a representative:
- People in the EU can buy, subscribe to, or sign up for your product
- You ship to, price for, or market to EU member states
- You run analytics, tracking, or profiling on EU visitors
Still unsure? The 60-second compliance checker walks you through the same logic and gives you a personalised answer.
Frequently asked questions
Related guides
Penalties for non-compliance
How Article 83 fines apply and why a missing representative is an easy finding for a DPA.
Representative vs. DPO
Two different roles that are often confused. When you need one, the other, or both.
Cost & pricing
What the market charges, what drives the price, and the hidden costs to watch for.
Last updated 2026-05-23.
Get your EU representative in about ten minutes
€99/month, fully self-service, with DSAR handling and a hosted compliance page included.