Representative

A “representative” (also “legal representative” or “authorised representative”) is a locally established addressee for regulators (and, in some regimes, for users) when an organisation is not established in the jurisdiction but is still caught by the rules. The core idea is simple: cross-border activity should not mean “no one to contact” and “no one to enforce against locally”. In practice, the representative becomes the operational interface for inbound authority communications, user requests where applicable, and compliance evidence handling—without shifting the underlying responsibility away from the controller/provider.

At a glance

Core idea: If you’re not established locally but fall in scope, you need a locally established addressee for authorities (and sometimes users) so enforcement and communications work in practice.

• EU GDPR: Non-EU controllers/processors offering goods/services to people in the EU or monitoring their behaviour generally must appoint one EU representative.
• UK GDPR: Same logic for the UK—non-UK organisations targeting or monitoring individuals in the UK generally must appoint a UK representative.
• DSA: Non-EU providers of intermediary services offering services in the EU must appoint an EU legal representative to interface with authorities (and can also support recipient communications).
• AI Act: Non-EU providers of in-scope AI (notably high-risk AI systems and certain GPAI contexts) must appoint an EU authorised representative with a written mandate and documentation readiness.
• Data Act: Non-EU actors placing connected products/services on the EU market must appoint an EU legal representative; operating without one increases enforcement reach.
• NIS2 / UK NIS: Certain non-EU digital providers must appoint a representative; the role is often tied to security governance and incident communication/reporting.
• Other laws: Similar “local agent/representative” concepts exist in Switzerland, Turkey, Korea, and Thailand, typically as jurisdiction-specific compliance tracks.

EU GDPR

Companies established outside the EU are required to appoint an EU representative according to Art. 27 GDPR if they offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or monitor their behaviour (e.g. cookie profiling). This applies to both controllers and processors. For processors not established in the European Union the applicability of GDPR depends on what the “processing activities” are related to: if the data processing conducted for the controller is related to the offering of goods and services or to the monitoring of behaviour, GDPR applies to the processor in addition to the controller.

The obligation is often triggered by normal commercial behaviour: using EU languages or currencies, marketing directed towards EU customers (including ads), EU testimonials, EU top-level domains, dedicated EU contact details, delivery into the EU, or otherwise enabling and guiding EU customers to find and use the product. The mere technical accessibility of a website from the EU is not, of itself, sufficient evidence of an intention to offer goods or services to EU customers, but “substantial connection” indicators typically accumulate quickly once a business genuinely targets the market. Monitoring, in turn, implies an intention to collect data for a specific purpose; tracking natural persons on the internet (including the subsequent use of profiling techniques) can qualify, and monitoring may also occur through wearables and other smart devices. Typical examples include behavioural advertising, geo-localisation (particularly for marketing purposes), online tracking using cookies or other tracking techniques, market surveys and behavioural studies based on profiles, and monitoring through connected devices.

Art. 27 GDPR contains an exemption only if all criteria are met: personal data is processed only occasionally (from time to time and non-systematic), processing does not include large-scale processing of special categories of personal data or criminal offence data, and processing is unlikely to result in a risk to the rights and freedoms of data subjects. It is hard to meet all of these criteria in practice, and the “only occasionally” criterion is often the hurdle for most businesses.

The representative’s responsibilities are straightforward but operationally important. The representative shall act as an addressee for authorities and data subjects to facilitate the communication with processors and controllers outside the EU. The representative needs to be mandated in writing by the controller or processor to evidence the appointment. In addition, the representative shall maintain Art. 30 records of processing activities and shall make the record available to the supervisory authority on request. This is where many organisations struggle: the legal obligation is short, but the day-to-day reality is workflows, inboxes, SLAs, escalation paths, and an evidence pack that can be produced quickly and consistently.

Location matters. Only one representative needs to be appointed in an EU Member State, which can then serve for all other Member States. In the event that a significant proportion of a company’s customers are located in a specific EU Member State, it is best practice that the representative is established in this Member State. The representative should also be easily accessible for data subjects in all Member States no matter where the representative is located, so the practical test is “reachable, credible, and equipped”, not “present everywhere”.

Failing to appoint when required is not a technicality. GDPR violations can lead to substantial fines by authorities and exclusion from business activities in the EU, and business partners may refuse to transfer data to a non-compliant provider. Under the GDPR fine framework, infringements of obligations like the representative requirement can attract administrative fines of up to EUR 10 million or 2% of total worldwide annual turnover (whichever is higher), depending on the circumstances.

UK GDPR

The UK version follows the same logic with UK-specific enforcement. Since GDPR is an EU regulation, it will generally no longer be applicable in the UK after Brexit, but the UK government has incorporated GDPR into UK data protection law. From 1 January 2021 onwards, the UK version of GDPR, the “UK GDPR”, is effective and companies have to comply with it. Most requirements remain the same as in the EU GDPR, so companies that are already compliant with the EU GDPR will not have to make major amendments to comply with the UK GDPR; however, doing transborder business might lead to additional requirements such as appointing a UK representative or ensuring compliance regarding international data transfers to and from the UK.

From 1 January 2021 onwards, companies located outside of the UK (whether in the EU or in a third country) with no offices, branches, or other establishments in the UK must appoint a UK representative if they are processing personal data of individuals in the UK that relates to offering goods or services to individuals in the UK or monitoring the behaviour of individuals in the UK. When applying “offering” and “monitoring” factors, the same practical indicators are relevant (language and currency, advertising and marketing directed towards UK customers, UK domains, UK delivery, UK contact points), and UK guidance has treated EU territorial scope reasoning as a helpful reference point where aligned. Where required but missing, fines can reach GBP 8.7 million or 2% of annual global turnover (whichever is higher), depending on the case. In operational terms, the representative should be a real presence rather than a mailbox: a local, qualified privacy professional with the ability to receive and action communications. Contrary to the appointment of a DPO, there is generally no need to notify the ICO of the representation; in practice, authorities often take the necessary information from the company’s privacy policy. (By contrast, in UK NIS contexts, representative arrangements can involve notification expectations.)

DSA

The Digital Services Act uses the same “local enforceability” concept but in a narrower sector: it applies to organisations providing intermediary services. Like the GDPR, the DSA has extra-territorial scope for non-EU providers “offering” such services within the EU. To qualify as “offering” a service, an intermediary service needs to be accessible by EU recipients and needs to have a substantial connection to the EU. Besides an establishment, a substantial connection can result from factual criteria such as a significant number of recipients of the service in the EU or the targeting of activities towards the EU. Targeting is assessed based on all relevant circumstances; language or currency of a particular Member State, EU-oriented ordering capabilities, relevant top-level domains, app store availability, local advertising, and user support in EU languages can indicate targeting, while mere technical accessibility from the Union does not establish a substantial connection.

Under Art. 13 DSA the main task of the legal representative is to be the addressee for the competent national authorities, the European Commission and the European Board for Digital Services. National authorities can be judicial or administrative authorities (including law enforcement), so the role is primarily to deal with authorities in the event of legal proceedings and to ensure efficient and timely cooperation—particularly receipt of, compliance with, and enforcement of decisions. The legal representative can also act as the point of contact for recipients of the service and trusted flaggers, and for operational purposes can act as the electronic point of contact to facilitate communication with various stakeholders, including where language requirements make this practical. The DSA is explicit that the representative may be held liable for non-compliance with obligations under the DSA, without affecting the liability and legal actions that could be initiated against the provider of intermediary services.

Because the DSA’s legal representative can carry meaningful responsibility, quality requirements matter. Providers should ensure that the designated legal representative has the necessary powers and resources to cooperate with the relevant authorities, sufficient qualifications and experience to handle proceedings with national and European authorities, and (in the DSA framing) financial resilience, with the concept excluding representatives subject to reconstruction proceedings, bankruptcy, or personal/corporate insolvency. As with the GDPR it is sufficient to appoint a representative in one Member State to cover the whole of the EU; in practical supervisory terms, the appointment also helps anchor a clear “home” authority channel in the Member State where the representative is located.

AI Act

The EU AI Act introduces an “Authorised Representative” for AI providers located outside the EU (Art. 54). The EU Artificial Intelligence Act is a comprehensive AI regulation that categorises AI systems based on risk and establishes legal requirements for their development, placement on the market, and use within the EU. The Act applies to organisations outside the EU where their systems impact people within the Union. An Authorised Representative is a legal entity based in the EU that acts on behalf of an AI provider located outside the EU. This representative holds a written mandate to carry out specific legal tasks—including acting as a contact point for authorities and holding technical documentation to support post-market compliance. Any provider of an AI system subject to the AI Act who is not established in the EU must appoint a sole Authorised Representative. This includes providers of high-risk AI systems and (depending on deployment) providers of general-purpose AI models, as well as third-country suppliers whose AI systems reach the EU. The operational takeaway is documentation readiness and authority-facing capability: the authorised representative must be able to make the right documentation available and support post-market compliance processes when authorities engage.

Data Act

The Data Act also brings a legal representative obligation for certain non-EU actors (Art. 37(11)). Any company established outside the EU that makes connected products available or provides services (related and unrelated) in the Union must designate an EU legal representative. Until a representative is designated, authorities across Member States may exercise competence, including the power to impose proportionate and dissuasive penalties. The designation must be in place as soon as connected products or services are made available on the EU market; operating without a representative exposes the company to enforcement reach across Member States. The Data Act applies without prejudice to the GDPR: where personal data is involved, data protection authorities remain responsible for enforcement, and GDPR obligations continue to apply alongside the Data Act.

NIS 2/UK NIS

Cybersecurity regimes add another “representative” variant with incident-driven urgency. NIS2 updates the original NIS framework to improve cybersecurity across essential and important sectors, expands scope to more industries, and introduces stricter requirements. It can apply to companies with an establishment in the EU and, for certain digital providers, also to companies established outside the EU that are offering their services within the EU. If a company does not have an establishment in the EU but offers the relevant services in these regions, it is generally obliged to appoint a NIS representative, with size-based exclusions commonly applying for micro and small enterprises (Art. 26(3)). Where in scope, the obligations typically include cybersecurity risk-management measures and reporting timelines in the event of a significant incident (early warning, incident notification, intermediate reporting where requested, and final reporting). For non-EU entities offering certain services within the EU, appointing a representative creates a local contact point that can be addressed by authorities/CSIRTs and that can act on behalf of the entity, including around incident reporting and authority liaison. Administrative fines under NIS2 can be significant (with higher tiers for essential entities and a lower—but still material—tier for important entities, depending on classification and circumstances).

In the UK, the Network and Information Systems (NIS) Regulations remain fully applicable. The UK transposed the original NIS requirements into its own national legislation as the UK NIS Regulations 2018, retained and enforceable post-Brexit. They apply to Operators of Essential Services and certain Digital Service Providers (including online search engines, online marketplaces, and cloud computing services), with scope and SME exclusions depending on thresholds. Where a DSP’s head office is outside the UK, it is required to appoint a UK-based representative to comply with these regulations. Non-compliance can lead to enforcement measures and fines (commonly cited up to £17 million in serious cases), and representative arrangements are typically designed so the relevant UK authorities can contact a local addressee who can act on incident reporting and liaison.

Representative requirements in other laws

Representative-style obligations also appear outside the EU/UK framework—often with a similar policy goal: creating a local, reachable point for regulators and individuals.

In Switzerland, the revised FADP requires certain foreign private controllers to appoint a Swiss representative where they process personal data of people in Switzerland and the processing is linked to offering goods/services or monitoring behaviour, is large-scale, carried out regularly, and poses a high risk to the data subjects’ personality. The representative functions as the contact point for data subjects and the FDPIC, and has defined record-keeping / cooperation duties. (Art. 14)

Turkey’s KVKK uses a “Data Controller Representative” model for foreign controllers processing personal data of individuals in Turkey, and ties this to mandatory registration in VERBIS (the controllers’ registry), which foreign controllers typically complete via their representative. (Art. 16)

In Korea, certain overseas information and communications service providers with no address or business office in Korea must designate a “domestic agent” to act on their behalf for specific compliance tasks (including privacy officer duties and breach notification/reporting), and disclose the agent in the privacy policy. (Art. 31-2)

Thailand’s PDPA applies extraterritorially to foreign controllers/processors offering goods/services to people in Thailand or monitoring their behaviour there, and requires qualifying foreign controllers to appoint a Thailand-based representative authorised to act on their behalf. (Section 5, Section 37(5))

Putting it into practice

From an implementation perspective, the fastest path to a robust representative setup is to treat it as a workflow, not a name on a page. Start by confirming which regimes apply (EU GDPR, UK GDPR, DSA, AI Act, Data Act, NIS2/UK NIS) and whether any exemption is realistically available. Choose the location rule (where customers/recipients are concentrated, where supervisory handling is practically anchored, where language and operational needs are best served). Put the mandate in writing and define scope clearly: what the representative can receive, who can sign what, escalation contacts, response SLAs, and how evidence is produced. Publish the representative contact details where required or expected (privacy notice, points of contact under DSA, and other relevant disclosures). Build the evidence pack in advance: records of processing, policy set, technical documentation where required (AI), and incident playbooks where NIS applies. Then test the end-to-end process (a mock authority request, a mock user request, and—if relevant—a mock incident notification) so the representative role is not just “reachable”, but reliable.

Relevant legal provisions

• GDPR: Art. 27 (Representatives), Art. 30 (Records of processing activities), Art. 83(4).
• UK GDPR: Art. 27 (Representatives).
• DSA: Art. 13 (Legal representatives), Art. 11 (Points of contact for Member States’ authorities, the Commission and the Board), Art. 12 (Points of contact for recipients of the service).
• EU AI Act: Art. 22 (Authorised representatives of providers of high-risk AI systems), Art.54 (Authorised representatives of providers of general-purpose AI models).
• EU Data Act: Art. 37(11)
• NIS2: Art. 26(3) (Jurisdiction and territoriality)
• UK NIS Regulations 2018: Art. 14A (Representatives of digital service providers established outside the United Kingdom)
• Swiss FADP: Art. 14 (Representative)
• Turkey KVKK: Art.16 (Data Controllers’ Registry), Art. 11 of By-Law On Data Controllers Registry (Obligations of the data controller, representative of the data controller and contact person), Art. 12 of By-Law On Data Controllers Registry (Communication)
• Korean PIPA: Art. 31-2 (Designation of Domestic Agents), Art.32-2 of PIPA Enforcement Decree (Scope of Those to Be Designated as Domestic Agents).
• Thailand PDPA: Section 5, Section 37(5), Section 38, Section 88.