info@edpo.com
Understanding GDPR: What You Need to Know in 2025
In 2018, the European Commission introduced the General Data Protection Regulation (GDPR). It shook the world because it applied both to European businesses and to any organization that processes the data of European individuals.
The GDPR is the most sweeping set of privacy regulations currently in place. Because it applies to so many organizations outside of Europe, it also requires some groups to appoint what’s called a GDPR representative.
Does your organization need to comply with Article 27 (GDPR Representative)? Keep reading to learn what this rule entails.
What is Article 27 of the GDPR?
Article 27 of the GDPR applies specifically to controllers and processors not established in the European Union. In short, the article applies to you if you need to comply with the GDPR but you don’t have an office or presence in the EU.
It says that those businesses who aren’t established in the Union need to appoint a representative in one of the EU member states.
What is a GDPR Representative?
A GDPR representative acts on your behalf with respect to the GDPR from within the EU. The appointed party is a direct contact between your organization and both data subjects and regulatory authorities.
Why would the EU require you to find a representative based in a member state?
Because traditionally, it’s hard to get in touch with companies outside the EU. A regulatory body could send letter after letter, and the recipient may never respond. Appointing an EU-based representative makes all communication more efficient and effective for everyone involved.
It’s not all about making life easier for regulatory bodies. Appointing a representative also makes it simpler for your business to uphold your obligations under the GDPR and avoid the huge fines associated with violations.
Are There Any Exceptions to the Representative Rule?
Yes, Article 27(2) says that this section doesn’t apply to organizations that only process data occasionally. It also doesn’t apply to public bodies.
To qualify for the exemption, you must also not process on a large scale any data related to Article 9(1) or Article 10, which are special categories of data, and your processing must be unlikely to affect the rights and freedoms of individuals.
Remember: even if there’s no obligation to comply with Article 27, you may still likely have to comply with the GPDR more generally. Not appointing a representative doesn’t give you a free pass.
How to Designate a GDPR Representative
Do you need a GDPR representative? It’s important to follow the regulation’s guidelines when selecting one.
These are the most important points that you need to cover when you make your selection.
Who Can Be a Representative?
Your GDPR representative can be any natural or legal person.
Experts are most likely to fulfill this role because Recital 80 of the GDPR says that your representative can be subject to enforcement proceedings if you violate the law. In other words, they take on the risk of your violations.
The EU’s willingness to do this reveals its motivation for requiring the representative in the first place. It’s challenging to initiate lawsuits and enforcement proceedings against overseas bodies. If you have a representative within the EU, the enforcement process is much more streamlined.
Where Should Your Representative Be Located?
The answer to this question depends on your data processing activities.
If you process data across many EU member states evenly, then you can choose any nation. Belgium is a popular choice because it is at the heart of EU infrastructure and it is a center for global business.
However, if you only process data in Germany or France, then you need to choose a representative in Germany or France.
The goal is to make it as easy as possible for data subjects to contact you. So if 90% of your European data processing takes place in Germany, then you need a representative in Germany – not Romania or Ireland.
How Do You Appoint a GDPR Representative?
Data controllers or processors must appoint a representative in writing.
In most cases, you can do this by using a mandate agreement.
The agreement includes your organization’s details, the details of your representative, and a reference to Article 27.
Other clauses must also be included in your contract, like:
- Clauses describing each party’s obligations
- Liability clauses
- Indemnity clauses
- Non-disclosure clauses
You should also ensure that the agreement doesn’t provide for automatic termination if your company suffers a data breach.
Remember to Note Your Representative’s Details in Your Privacy Policy
If you need a GDPR representative, it’s not enough to appoint one and call it good. You also need to share their details to make them available to regulatory bodies and data subjects.
For most companies, this is as simple as adding the representative’s details to your privacy policy.
Do You Need a GDPR Representative? Understanding GDPR Representation
There are many elements of the GDPR that are confusing. Article 27 is one of them because many companies are only just finding out about the need to appoint a GDPR representative.
When does Article 27 apply to you? If you are a data controller or processor that processes personal data of individuals in the EU and you don’t have a European base, then you likely need a GDPR representative.
Choosing the right representative is important. Not only is it your obligation under the law, but the right service will also make it easier to comply.
Are you still wondering whether or not Article 27 applies to you? Click here to take EDPO’s GDPR assessment for more insight.
UK GDPR and EU GDPR – Differences and Similarities
What are the main differences between UK GDPR and EU GDPR? The UK GDPR is largely based on the EU GDPR but adapted for the UK. The main...
What is the difference between the Data Protection Representative and the Data Protection Officer?
The obligation to appoint a Data Protection Representative (DPR) applies only to companies based outside the EU/UK. If such companies do not...
Fine of 525,000 euros imposed on non-EU company for failure to appoint EU Representative
UNOFFICIAL ENGLISH TRANSLATION DUTCH DATA PROTECTION AUTHORITY – NEWS...
About the author
Jane Murphy
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.
Follow us on Linkedin for daily breaking GDPR news!
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.