Article 27 · Mandatory for most non-EU companies

A named EU representative — today.

If you process the personal data of anyone in the EU and you don't have an entity there, Article 27 GDPR requires a named representative. We become yours — on your privacy page, in your footer, on record with every DPA. In your timezone.

Book a demo Do I need one? 60-second check
60-second check

Tap what's true for you. We'll tell you if Art. 27 applies.

Article 27 is one of the most-overlooked and most-fined obligations in the GDPR. Enforcement is rising and the first thing a regulator checks is whether you have one.

Awaiting input Tap the statements that are true for you.

Article 27 applies when you process personal data of people in the EU and you have no establishment there. Tick the boxes above to see whether this obligation lands on your company.

The risk of going without

Regulators enforce Article 27. Increasingly, first.

MAX ADMIN FINE1
€10M

Or 2% of global turnover — whichever is higher. For Art. 27 non-appointment specifically.

STACKED WITH1
€20M

Or 4% of global turnover, for the underlying data protection breach that brought you to the DPA's attention.

DPA CASES 2023–252
+340%

Growth in Article 27 enforcement actions across EU DPAs since the first major rulings in 2023.

TYPICAL TIMELINE3
28 days

From the DPA's first letter to a formal finding — if you have no named representative to respond.

  1. 1. GDPR Art. 83(4)–(5); fines denominated in EUR or % of worldwide annual turnover, whichever is higher.
  2. 2. Aggregated across EDPB member DPA annual reports, 2023–2025 (EU Presence internal tracker).
  3. 3. GDPR Art. 58 investigatory powers; statutory response window averaged from published DPA case logs.
What you get

A full representative, not a mailbox.

01

Named on record

A real legal entity registered as your Art. 27 representative. Listed on your privacy page, footer, and in your Article 30 records.

02

Certificate of representation

Display the EU Presence GDPR Verified badge on your website and privacy policy. It links to your public compliance page, signals legal compliance to customers and partners.

03

Data subject requests

EU residents can contact us directly to exercise Article 15–22 rights. Every request routes to your DSR inbox, verified.

04

ROPA builder

Create and manage your Record of Processing Activities with a guided wizard and stay up to date as you scale. Article 30, covered.

05

Breach notification

If something goes wrong, we file the 72-hour notification with the correct lead DPA. Drafts pre-approved by you.

06

Covered, not alone

Included: annual compliance review, policy template library, and a dedicated privacy counsel on Slack or email.

Where we operate

Coverage in every member state.

Article 27 requires a representative in a member state where affected data subjects are. We cover all 27 — plus the UK, under the parallel UK GDPR Art. 27 obligation.

Coverage

27 member states · live

EU-27 appointment UK GDPR parallel
27 / 27 EU member states +UK via UK GDPR Art. 27 24 official languages covered

Sample DPA correspondence (last 30 days)

Illustrative
DE
BfDI — Subject access request routing
Resolved · translated · 2 attachments
✓ 3h 12m
IE
DPC — Article 30 records audit
Responded · records provided in EN/GA
✓ 1d 04h
FR
CNIL — Cookie consent clarification
Resolved in FR · no action required
✓ 6h 41m
IT
Garante — DSR forwarding confirmation
Acknowledged · routed to client
✓ 42m
ES
AEPD — Proof of appointment
Documents filed · reference AEPD-24-7712
⋯ pending
NL
AP — Transfer mechanism question
Draft response with client · 24 Apr
⋯ drafting

Every DPA letter that lands on our desk gets a response in the same language, within statutory deadlines, with a summary in English for you. You see the inbox. You never see the paperwork.

  • Native-language response in DE, FR, IT, ES, NL, PL, + all other official EU languages
  • Statutory deadline tracking — we never let a 30-day clock run out
  • Every response archived, tagged, and exportable for your audit trail
  • Escalation to external privacy counsel when you want a legal review
How it works

Appointment in 48 hours.

  1. Discovery call

    30 minutes. We map your data flows, confirm Art. 27 scope, and pick the right member state for your primary appointment.

  2. Mandate signed

    You'll receive a one-page Letter of Appointment. Once signed, we're officially appointed as your representative.

  3. Published and filed

    We provide the privacy-policy language, update your Art. 30 records, and (where required) file the appointment with the local DPA.

  4. Covered, indefinitely

    From day one, every DPA inquiry and data subject request routes to us. You get monthly summaries and an annual compliance review.

Privacy-policy snippet we provide
// Drop this into your privacy policy

EU Representative (Art. 27 GDPR)
World Presence j.d.o.o.
Ulica Brune Bušića 42
10000 Zagreb, Croatia

Email: dpo@eupresence.com
Ref:   ACME-GDPR-2026

// Also added to your Art. 30 record
// and filed with the lead DPA.
That's what regulators look for. A named entity, a real EU address, a working contact. We supply all three.
How we compare

Where the cheap options fall down.

Capability EU Presence Solo-practitioner rep Mail-forward service
Named Art. 27 entity✓ Registered in DE~ Varies
Native-language DPA response✓ 24 EU languages~ 1–2 languages
Avg. response time to DPA✓ 4 hours~ 3–5 days7–14 days
DSR inbox & verification✓ Built-in✕ Forwarded raw
Article 30 records maintained~ At extra cost
72-hour breach filing✓ Pre-drafted~ Hourly billing
Audit-ready archive✓ Full export
Annual compliance review✓ Included
Proof

Teams shipping to Europe, already covered.

From pre-launch AI startups to Series C fintechs — Article 27 appointments filed in under 48 hours.

YC W25
"We were told we needed a GDPR rep three days before launch. They had our appointment filed before we finished the onboarding call."
Marco Tollo Head of Legal · Series B AI infrastructure
"The DPA sent us a letter in Italian. They had a translated response out before we'd even read the original."
Jordan Park CEO · SaaS analytics, $12M ARR
"We compared three options. EU Presence was the only one that actually responded to DPAs — not just forwarded mail."
Sofia Ricci GC · Marketplace, 40 EU countries
"Named rep in Berlin, 48 hours. Our privacy policy went from red-flagged to audit-ready in a week."
Rahul Khanna Founder · B2B data platform
500+Art. 27 appointments filed
27 / 27Member states covered
< 4hAvg. response time to DPAs
100%Deadlines met, 2024–2025
Pricing

One monthly fee. All 27 member states.

FLAT MONTHLY

GDPR Representative

$127 / month

One price. Every company size. Named Art. 27 representative with full DPA correspondence, DSR handling, and audit-ready archive — included.

Book a discovery call 60-second check
No setup fees · 30-day termination · Pay monthly or annually
  • Named Art. 27 representative on record
  • Coverage in all 27 EU member states
  • Unlimited data-subject requests
  • DPA correspondence in 24 EU languages
  • ROPA builder for Article 30
  • 72-hour breach filing, pre-drafted
  • Policy template library
  • Annual compliance review, included
Often purchased together

Companies who take GDPR Rep also take.

EU Trust Bundle

Three products. One engagement. 15% off.

The standard compliance stack for US companies with real EU exposure. One onboarding, one invoice, one team.

You save $1,485 / yr
THIS PAGE

GDPR Representative

Article 27 coverage, 27 member states, named EU entity.

Flat$127 / mo
 ADD

Privacy Center

Hosted trust hub, unified DSR inbox, versioned policies, sub-processor log.

Standard$199 / mo
 ADD

DSA Representative

If users post or trade on your platform — Article 13 legal rep + notice endpoint.

Platform tier$499 / mo
BUNDLE TOTAL
$825 / mo $701/ mo · 15% off Book a bundle call
Common questions

What founders ask us first.

Do I really need an Art. 27 rep if I don't target the EU?

If anyone in the EU can sign up, buy, or even load a cookie on your site, and you don't have an EU entity — yes. "Targeting" under the GDPR is interpreted broadly. The safest baseline: if you can't geo-block, you need a representative.

What's the difference between a GDPR Representative and a Data Protection Officer (DPO)?

Totally different roles. A DPO advises you on compliance (often internal, Article 37). A Representative is the legal EU-side contact for authorities and data subjects (Article 27). You may need neither, either, or both. We offer both.

Which member state should my representative be in?

Art. 27 says "a member state where affected data subjects are." In practice, we default to Germany or Ireland — both have well-regarded DPAs, English-friendly practice, and broad enforcement precedent. We'll recommend the right one on your discovery call.

Does the UK need a separate representative?

Yes — since Brexit, UK GDPR Art. 27 is a parallel obligation. We cover both with a single engagement and one invoice.

What happens if a DPA sends us a letter directly?

Forward it to your EU Presence counsel. We take over the correspondence from there, coordinate with you on substantive responses, and handle the language and deadline mechanics.

Can we switch representatives later?

Yes. Representative appointments are terminable with 30 days' notice. We help with the handover and file the change with your lead DPA. No punitive clauses.

Article 27, handled Monday.

30-minute discovery call. Appointment filed within 48 hours. A named representative, in your privacy policy, by end of week.

Book a discovery call Also see Privacy Center