Jump to

EU Representative (GDPR Article 27)

What is an EU representative?

The EU representative (GDPR Art. 27) is the person or company a non-EU controller or processor must designate in the Union when it falls under GDPR’s extraterritorial scope (Art. 3(2)) — offering goods or services to people in the EU or monitoring their behaviour — without an EU establishment. The representative is the local mailbox with teeth: the addressee for supervisory authorities and data subjects, keeper of the Art. 30 records, named in your privacy notice.

Who needs one — the Turkish startup test

The trigger is targeting, not mere accessibility: EU-currency pricing, EU-language marketing, EU app-store availability aimed at those markets, or analytics that tracks EU users’ behaviour. A Türkiye-based SaaS with German customers and no EU entity is the textbook case. The narrow exemption — occasional, low-risk processing without special categories at scale — rarely fits a data-driven product. Note the mirror duty: EU companies without a Turkish establishment face KVKK’s own representation mechanics for VERBİS registration; cross-border groups often need both directions covered.

Choosing and contracting the role

The market solved this with professional representative services; the real work is the mandate: scope of authority, information-flow duties (a representative who cannot reach your DPO in 24 hours is decorative), liability allocation — authorities can address the representative for the principal’s non-compliance — and termination mechanics. Put the representative’s identity in the privacy notice and keep the appointment letter in the diligence folder; buyers check Art. 27 as a cheap proxy for privacy maturity.

Is the representative the same as a DPO?

No — the DPO is an internal oversight function; the representative is an external point of contact for territorial reach. A company can need both, either, or neither.

What risk does the representative carry?

Regulators can enforce against the representative in respect of the principal’s breaches — which is why serious providers demand cooperation covenants and indemnities in the mandate.

Related: GDPR, VERBİS.