skip to Main Content

When are you obligated to appoint a GDPR Representative (especially for UK firms post Brexit)?

Article 27 of the GDPR requires organizations established in the UK (and all other countries outside the EU) that process personal data of residents from the European Economic Area (EEA) to appoint a Representative that:

  • Acts as the point of contact for EEA residents to your company (if requested in their local language);
  • Acts as a liaison between Data Protection Supervisory Authorities and your company, and enables supervisory authorities to pursue enforcement actions.

The EEA encompasses all countries of the European Union, Norway, Iceland, and Liechtenstein

So, if you don’t have an establishment in the EEA but sell goods or services to EEA residents; if you process personal data of EEA residents on behalf of companies (inside or outside the EEA) or if you, for any other means, process personal data of EEA residents, you need to appoint a Representative.

This is also required if you don’t explicitly target EEA residents with your services but still process personal data of them.

GDPR Article 27:

When doing business in the EU, a GDPR representative can be obligatory.

Don’t wait for a penalty.

Why not organize it right now.

Contact us for more information on:
+31 88 8483 100


Why do you need to appoint a GDPR Representative now?

Brexit is a fact, and the UK has effectively left the European Union.

Although the UK is now “a third country” under the EU’s GDPR, a provision in the agreement signed by the UK and EU in December 2020 secures an interim period of six months of unrestricted data flow between the two blocs. However, an EU GDPR representative is mandatory right now, even during the six months transition period.

Compliance with the EU’s GDPR remains an obligation for any website, company or organization who process personal data of EU citizens.

For companies located in the UK, many activities are still within the scope of the GDPR after Brexit. This is the case when:

  • The company offers goods or services to EU citizens, regardless of financial transactions taking place;
  • The company monitors online behavior of EU citizens (including, but not limited to, behavioral advertising, geolocation for marketing purposes, online tracking through use of cookies or other tracking techniques).

UK companies that remain subject to the GDPR, should in most cases appoint an EU GDPR representative. An adequacy decision will not change this.

Small and medium sized enterprises can be exempt from this obligation if they only process personal data occasionally, don’t process much sensitive data and the processing is unlikely to result in a risk for EU residents. However, this exemption does not often apply.

This Representative obligation is also applicable for companies located in other non-European countries and offering goods or services to EU citizens.

The extension of the GDPR transition period doesn’t mean you can sit and wait.

Most of our clients want to focus on their business now Brexit has kicked in and need all their attention to get it going again at the pace they are used to let aside to grow their business to mainland Europe. We observe extra burden with contracts, border controls, licenses and taxes.

Do you recognize this?

A GDPR representative should be the least of your worries. Arrange it now and start the service to make sure you comply with EU data protection laws.

GDPR Brexit

What are the GDPR requirements of a representative. 

The Representative is required to:

  • Co-operate with the supervisory authorities;
  • Facilitate communication between data subjects and your organization;
  • Be readily accessible to data subjects in all relevant member states (when necessary in their own local language);
  • Maintain a Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.

Supervisory authorities can pursue enforcement actions through the Representative for noncompliance of the organisation they represent

The Representative:

  • Is appointed to represent data controllers or processors that are not established in the EU
  • Must be established in one of the member states where the controller’s or processor’s data subjects reside

The Representative appears on your privacy policy (published on your website) as the contact for EAA residents and regulators

Your representative should work with you to: 

Set up your GDPR Representation

  • Ensure your privacy policy displays the Representative’s contact details;
  • Understand your data flows;
  • Review previous gap analysis and impact assessments;
  • Be aware of any (previous) breaches or non-compliance;
  • Establish a copy of your Records of Processing Activities (RoPA).

Provide ongoing GDPR Representation

  • Maintain and an up-to-date copy of your RoPA on an ongoing basis;
  • Translate and respond to queries from European data protection authorities and residents;
  • Advice on reporting and communication of personal data breaches;
  • Log breaches reported to directly to the representative;
  • Receive and log data subject rights requests and advise on suitable responses;
  • On request, advise on data protection regulatory issues that impact your organisation.

Our dedicated GDPR team

Our team consists of business analysts, legal, IT and GDPR professionals. Our skillset includes a high level of GDPR expertise, excellent communication skills and a can-do mentality, all of which we dedicate to your enterprise. We understand business needs and interests, so we appreciate the trade-off of GDPR accountability.

If you also need support for your DPO while conducting DPIAs or external audits, initiating awareness campaigns or any other relevant GDPR tasks, please do not hesitate to contact us.


News and blog articles about GDPR topics and interesting developments.

Representative References

If you have questions about our GDPR Representative role for these companies, contact us at

Petrik Cuijpers

P.C.W. Cuijpers MSc

Vivenics Managing Director
IT consultant, Data Integrity expert

Roy Verhoeven

R. Verhoeven, LLM/MSc

Compliance specialist
IAPP CIPP/E, certified privacy professional

Vincent Corbesir

V.A.R.J. Corbesir

Privacy professional, business analyst
IAPP CIPP/T and Tulser GDPR graduate

Carel de Vink

C.N. de Vink, BSc

IT expert, privacy professional
IAPP CIPP/E, Security, Agile, Kanban, Prince II


J.C.M. Hoogzaad, BSc

Backoffice manager


J.H.T.M. Mommersteeg, BSc

Data Quality expert

Please contact us for more information on +31 88 8483 100

More information here:   GDPR Compliancy Services

Pivot Park Oss


Visiting address:
Pivot Park
Kloosterstraat 9
5349 AB Oss, The Netherlands

Postal address:
PO Box 228
5340 AE Oss, The Netherlands


+31 (0)88 8483 100

Vivenics Privacy Policy