Does my company need a UK or EU GDPR representative?

If your business is expanding into the UK or EU, you may need to appoint a local GDPR representative before, or soon after, you start targeting customers in that market.

If you are not established in the respective market you are targeting, but you offer goods or services to people there or monitor their behaviour, you may need to appoint a local GDPR representative.

This can affect:

  • foreign companies entering the UK;
  • foreign companies entering the EU;
  • UK companies expanding into the EU;
  • EU companies expanding into the UK;
  • companies outside both markets targeting both.

Under the UK GDPR, an overseas organisation may fall within scope if it offers goods or services to people in the UK or monitors their behaviour in the UK. The ICO says organisations without a UK establishment that target people in the UK generally need to appoint a UK representative, including organisations based in the EEA.

Under the EU GDPR, a company outside the EU may need to appoint a representative in the Union where it offers goods or services to people in the EU or monitors their behaviour there. Article 27 says the representative must be designated in writing, unless a limited exemption applies.

In practice, this means a UK company selling into the EU may need an EU GDPR representative. An EU company selling into the UK may need a UK GDPR representative. A US, Canadian, Australian or other overseas company targeting both markets may need both.

A representative is not a DPO, lawyer, regulator or outsourced compliance department. Their role is to act as a local contact point for individuals and regulators.

You may need to assess this requirement if you:

  • sell products or services into the UK or EU;
  • run UK or EU marketing campaigns;
  • offer local delivery, pricing or customer support;
  • provide SaaS, apps or online services to users there;
  • track users through cookies, analytics or profiling.

Mere website accessibility is not usually enough. There should be evidence that you are intentionally targeting people in that market. The ICO gives examples such as UK marketing, a .co.uk domain, GBP pricing, UK testimonials or UK delivery arrangements.

Need a UK or EU GDPR representative?
We help companies entering the UK and EU markets meet Article 27 representative requirements clearly and efficiently.