Do you offer an app in the Apple App Store or Google Play Store?
Do you run an online shop that sells to customers in the European Union?
Is your cloud software or SaaS product accessible to users in Europe?
And is your company based outside the EU—for example in the United States, the United Kingdom, or China?
If so, you most likely need to appoint an EU data protection representative.
Get a free eligibility assessment.
Companies that are not established in the EU are still required to comply with the EU General Data Protection Regulation (GDPR) if they:
offer goods or services to individuals in the EU (e.g. online shops, apps, SaaS), or
make their services available to EU users—even if those services are free of charge.
(Article 3(2) GDPR)
If your company has no establishment or branch in the EU, you are legally required to appoint an EU data protection representative.
(Article 27 GDPR)
Your EU representative must be located in the EU and acts as your official point of contact for:
EU customers and users, and
European data protection authorities.
Failing to appoint an EU representative is considered a serious GDPR violation.
For example, the Dutch Data Protection Authority fined a non-EU website operator EUR 525,000 for not appointing an EU representative.
We help you:
stay GDPR-compliant and avoid costly fines,
respond professionally to authorities and data subjects, and
build trust with European customers, giving you a clear competitive advantage.
When you appoint us as your EU representative:
We act as your official EU data protection representative under Article 27 GDPR
You can list us in your privacy policy, contracts, and data protection documentation
We handle all communications with EU supervisory authorities and data subjects
We speak 6+ European languages and communicate clearly, professionally, and appropriately
We forward all requests directly to you by email (e.g. data access or deletion requests)
As lawyers and TÜV-certified data protection officers, we provide fast and reliable support in responding to GDPR inquiries
If needed, we also assist you with additional GDPR compliance matters
Get peace of mind, legal certainty, and a strong EU presence—without complexity.
📩 Contact us today for your free individual assessment.
info@fx-legal.de
+49 89 21 11 22 90
Further information:
US Department of Commerce – International Trade Administration: “Generally, companies that are not established in the European Union but that are subject to the GDPR must designate in writing an EU representative for purposes of GDPR compliance. (…) Fines in case of non-compliance can reach up to four percent of the annual worldwide revenue or €20million euros–whichever is higher.”
Wired.com – Brexit’s latest headache? An extra bundle of GDPR bureaucracy: “The appointment of a data representative is required by Article 27 of GDPR, the EU’s data protection regulation that started to be enforced in May 2018, triggering compliance panic all across Europe. GDPR anxiety has now almost faded from the British public’s memory, but the regulation’s consequences have not: as soon as the UK leaves the bloc in earnest, it will be treated as a non-EU country, and Article 27 will start applying to all British companies meeting the criteria. Who are they? Not corporate giants, which are likely to have an office somewhere in the EU already, and not family-run bakeries, but rather a galaxy of mid-sized internet-based companies catering to EU customers. Bell cites software-as-a-service startups, e-commerce businesses, and organisations that conduct clinical trials as DataRep’s typical clients.”
ComputerWeekly.com – The privacy and compliance challenges organisations face in 2021: “As the EU GDPR will no longer apply in the UK, Article 27 most definitely affects UK-based organisations, which means they will need to appoint an EU Representative.”
Wikipedia.com: “Under Article 27, non-EU establishments subject to GDPR are obliged to have a designee within the European Union, an “EU Representative”, to serve as a point of contact for their obligations under the regulation. (…) An establishment’s failure to designate an EU Representative is considered ignorance of the regulation and relevant obligations, which itself is a violation of the GDPR subject to fines of up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.”