Do I Need a GDPR EU Representative? A Practical Decision Guide for SaaS Companies
If your SaaS company is based outside the EU but has European users, you almost certainly need an EU representative under GDPR Article 27. Failing to appoint one can cost up to €10 million or 2% of global turnover. This guide walks you through exactly how to decide, what the exemptions mean, and how to get compliant.
The “Forgotten Obligation” That Can Cost You €525,000+
Article 27 of the GDPR has been called the regulation’s hidden obligation, and for good reason. While most SaaS founders know about appointing a Data Protection Officer or publishing a privacy policy, far fewer realise that non-EU companies processing EU personal data must designate an EU-based representative.
The requirement has been enforceable since May 2018, but only drew widespread attention in 2021 when the Dutch Data Protection Authority fined Locatefamily.com €525,000 specifically for failing to appoint one, plus an additional €20,000 penalty for every two weeks the company remained non-compliant.
This isn’t just a concern for sketchy data-harvesting websites. If you run a B2B SaaS platform from the US, Canada, the UK, Israel, or anywhere else outside the EU, and European users sign up, enter their names and emails, or have their behaviour tracked through your analytics, the obligation likely applies to you.
What Exactly Is an EU Representative?
An EU representative under Article 27 of the GDPR is a natural person or legal entity based in an EU member state that serves as your company’s local point of contact for two audiences: EU data subjects (the people whose data you process) and supervisory authorities (the data protection regulators in each EU country).
This is fundamentally different from a Data Protection Officer. The IAPP has clarified the distinction: a DPO advises on and monitors your internal compliance, acting independently. An EU representative operates under a written mandate from your company. Their job is narrower but operationally critical, they receive and forward communications from regulators, handle data subject requests on your behalf, and maintain a copy of your Records of Processing Activities (RoPA).
As explained in an IAPP interview with Lucia Canga of the European Data Protection Office, there’s one particularly important practical implication: unlike EU-based companies that benefit from the “one-stop-shop” principle, non-EU companies must notify the relevant DPA in every member state where affected data subjects reside during a data breach. Your EU representative can be instrumental in navigating this across potentially dozens of national regulators.
The Decision Flowchart: Do You Need One?
Walk through these questions in order. If you reach a “Yes, you need a representative” endpoint, stop there.
Question | If YES | If NO |
1. Established in the EU? Office, subsidiary, or branch in an EU state | No representative needed | Go to Q2 |
2. Offer goods/services to the EU? SaaS sign-ups, EUR pricing, EU-targeted ads | Go to Q4 | Go to Q3 |
3. Monitor EU user behaviour? Cookies, analytics, profiling, retargeting | Go to Q4 | GDPR Art. 3(2) may not apply |
4. Is processing only occasional? Not part of regular business operations | Go to Q5 | REPRESENTATIVE NEEDED |
5. Large-scale special category data? Health, biometric, racial, political data | REPRESENTATIVE NEEDED | Go to Q6 |
6. Likely risk to individuals’ rights? Systematic processing = likely yes | REPRESENTATIVE NEEDED | Exempt (all 3 met) |
If you’re a SaaS company based outside the EU with EU users who sign up, pay, or are tracked through your platform as part of normal operations, you almost certainly need an EU representative. The occasional processing exemption is extremely narrow for commercial operations and virtually never applies to software products with an active user base. |
Understanding the “Occasional Processing” Exemption
Under Article 27(2), you’re exempt from appointing a representative only if your processing meets ALL three conditions simultaneously:
1. The processing is occasional: meaning it is not a regular part of your business operations. If EU users can sign up for your SaaS product at any time, the processing is not occasional. The Dutch DPA clarified this in the Locatefamily.com decision: processing integral to how your platform operates cannot be “occasional,” even if the volume of EU data is small.
2. No large-scale special category or criminal data: special categories include health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, genetic data, and data concerning sexual orientation. If your SaaS touches any of these at scale (health-tech, HR platforms, fintech with KYC), this condition fails.
3. Unlikely to result in risk to individuals’ rights: the EDPB interprets this broadly, and virtually any systematic processing of personal data carries some risk.
You must meet ALL three conditions to be exempt. Failing any single one means you need a representative.
What Does the Representative Actually Do?
The role is more substantive than many companies expect. A UK High Court ruling described the EU representative’s role as “considerably fuller than a mere postbox”, it’s an active, operational role.
Your representative’s core responsibilities include:
• Acting as the primary contact point for supervisory authorities in the EU
• Receiving and forwarding data subject access requests, deletion requests, and other rights exercises
• Maintaining an up-to-date copy of your Records of Processing Activities (RoPA)
• Cooperating with regulators during investigations and enforcement proceedings
• Assisting with data breach notifications across all relevant EU member states
That last point is crucial: if you suffer a breach affecting users across multiple EU countries, your representative coordinates notifications to potentially dozens of national DPAs,each with their own language requirements and procedures, all within the 72-hour notification window.
Where Should Your Representative Be Located?
Under Article 27(3), your representative must be established in one of the EU member states where the data subjects whose data you process are located. If your SaaS platform has users across the entire EU, you can appoint a single representative in any one of those member states, you don’t need one in every country.
Most companies choose a representative in a country where they have the largest user base, or in jurisdictions with well-established regulatory frameworks like Ireland, the Netherlands, or Germany. The EDPB guidelines confirm that a single representative can serve as your contact point across all EU member states.
Important: the location of your representative does NOT determine your lead supervisory authority. Non-EU companies don’t benefit from the one-stop-shop mechanism,so don’t choose Ireland just because you think the Irish DPC will be your single regulator.
Don’t Forget the UK
Since Brexit, the UK has its own version of Article 27 under the UK GDPR. If your SaaS serves both EU and UK customers, you need two separate representatives: one based in an EU member state and one based in the UK. These are separate jurisdictions with separate regulators (the EU DPAs and the UK’s Information Commissioner’s Office).
Failing to appoint a UK representative can result in fines of up to £8.7 million or 2% of global turnover, enforced by the ICO. As the IAPP notes, no grace period was announced by either authority after Brexit, the obligation took effect immediately on 1 January 2021.
Liability: What’s the Risk?
A common concern is whether the EU representative can be held liable for your GDPR violations. The answer, clarified by the English High Court in Rondon v LexisNexis, is that a representative’s liability is limited to their own specific statutory obligations, maintaining your RoPA and cooperating with authorities. They don’t “stand in your shoes” for enforcement.
However: some EU member states have national laws that go further. Spain, for example, makes the EU representative jointly liable with the non-EU controller or processor. This is another reason to choose your representative’s jurisdiction carefully.
Appointing a representative does not shield your company from enforcement. Article 27(5) makes clear that the designation is “without prejudice to legal actions which could be initiated against the controller or the processor themselves.”
Practical Steps to Get Compliant
If you’ve determined you need a representative, here’s what to do:
1. Choose a qualified representative. This can be a specialist GDPR representation firm, a law firm with EU offices, a registered business entity, or an individual consultant in the EU. Most SaaS companies opt for a dedicated service provider. Annual costs typically range from €200 to €5,000 depending on complexity.
2. Execute a written mandate. Recital 80 of the GDPR requires an explicit written mandate authorising the representative to act on your behalf. This should define the scope of duties, communication procedures, and escalation paths.
3. Update your privacy policy. Your representative’s name and contact details must be included in your privacy notice under Articles 13 and 14 of the GDPR.
4. Prepare your Records of Processing Activities. Your representative needs a current copy of your RoPA under Article 30. If you don’t have one, create it now.
5. Establish clear internal processes. Define how data subject requests and DPA communications will flow between your representative and your internal team. Response times are tight, typically one month for data subject requests.
6. Act within 30 days. You must appoint your representative within 30 days of beginning processing activities targeting EU data subjects. If you’re already processing EU data without one, you’re already non-compliant, so, move quickly.
Common Mistakes SaaS Companies Make
Confusing the EU representative with a DPO
These are distinct roles with different legal bases, responsibilities, and independence requirements. You may need both.
Assuming company size matters
The obligation applies regardless of whether you’re a two-person startup or a Fortune 500 company. What matters is whether you process EU personal data, not how big your team is.
Using a PO Box or virtual address
Supervisory authorities expect representatives to maintain a genuine local presence: a physical address, a local phone number, staff who can communicate in the local language, and availability during local business hours.
Thinking distance protects you
While cross-border enforcement of fines remains challenging, regulators can restrict your services to the EU market, and reputational consequences are real. Appointing a representative is also a compliance marketing opportunity that signals to EU customers you take their privacy seriously.
Claiming the exemption without documentation
The burden of proof rests with your organisation. If a supervisory authority challenges your exemption claim, you’ll need documentation showing your assessment process. Claiming an exemption without proper documentation is itself a compliance failure.
The Enforcement Trend Is Clear
While standalone Article 27 fines have been relatively rare so far, the trajectory is unmistakable. The Locatefamily.com enforcement action in 2021 was widely regarded as a test case, and multiple DPAs, including those in Finland, Belgium, and Spain, have since referenced Article 27 obligations in enforcement decisions. Supervisory authorities increasingly flag the absence of a representative as an aggravating factor in broader enforcement proceedings.
For SaaS companies building for a global market, appointing an EU representative isn’t just a compliance checkbox, it’s a practical necessity for operating in Europe. The cost is modest (often under €2,000/year), the process is straightforward, and the alternative is a legal exposure that scales with your European user base.
This article is for informational purposes only and does not constitute legal advice. For advice specific to your situation, consult a qualified data protection lawyer.
References
Article 3 GDPR:Territorial scope
EDPB Guidelines 3/2018 on territorial scope
EDPB: Dutch DPA fines Locatefamily.com €525,000
Bird & Bird: Art 27 representative liability analysis
IAPP: Representatives under Art. 27: all questions answered
IAPP: How to operationalize Article 27
IAPP: GDPR representatives after Brexit