
A surprising number of non-EU companies realize they need an EU representative only when a customer procurement team asks for proof. That proof is usually an article 27 designation letter - a formal document showing that your business has actually appointed a representative in the EU, not just listed an address on a privacy notice.
For US companies selling into Europe, this document is not paperwork for its own sake. It is evidence of a legal appointment under GDPR Article 27. If you are marketing to people in the EU, selling goods or services to them, or monitoring their behavior, regulators, customers, and privacy teams may expect to see it. If you cannot produce it, the problem is not just administrative. It signals visible non-compliance.
What is an article 27 designation letter?
An article 27 designation letter is the written appointment of your EU representative under the GDPR. It confirms that a non-EU controller or processor has designated a representative in one of the EU member states where affected data subjects are located.
In plain terms, it is the document that turns a vendor relationship into a legal appointment. Without that written designation, calling someone your representative is weak at best. A website privacy notice naming a contact is helpful, but it is not the same thing as a signed appointment document.
The letter matters because Article 27 is not satisfied by intent. It requires an actual designation in writing. That written record is what you show when a regulator asks who represents you in the Union, when a customer asks for compliance evidence during vendor review, or when your internal legal team needs to confirm the appointment was made correctly.
When do you need an article 27 designation letter?
You generally need one when your company is not established in the EU but falls within the extraterritorial scope of the GDPR. That usually means you offer goods or services to people in the EU or monitor their behavior there.
This catches more US companies than many founders expect. A SaaS platform with EU users, an ecommerce brand shipping to France or Germany, an app tracking user behavior for analytics, or a B2B vendor running targeted campaigns into the EU can all fall into scope. If your business touches EU personal data in a way that triggers GDPR Article 3(2), Article 27 needs attention.
There are limited exceptions. If processing is only occasional, does not include large-scale handling of special category or criminal data, and is unlikely to create risk to individuals' rights and freedoms, the representative requirement may not apply. That exception is narrow. Many operating businesses rely on it too casually, especially if EU sales, recurring subscriptions, or ad-tech tracking are involved.
If your privacy counsel, DPO, or enterprise customer asks for your article 27 designation letter, that is usually a sign the issue is already live.
What should the designation letter include?
A credible letter should do more than state names. It should clearly identify the non-EU company, identify the appointed EU representative, reference the legal basis for the appointment under GDPR Article 27, and confirm that the representative is authorized to be addressed by supervisory authorities and data subjects on GDPR-related matters.
It should also reflect the scope of the appointment in practical terms. For example, does the representative only receive messages, or are they authorized to triage requests, coordinate responses, and support communications with authorities? That distinction matters. There is a real difference between legal representation and a mailbox provider that simply forwards inbound emails.
At a minimum, a strong designation letter usually includes:
- The legal name and registered details of the non-EU company
- The legal name and address of the EU representative
- A statement appointing the representative under Article 27 GDPR
- The effective date of the appointment
- Confirmation of the representative's authority to receive communications from supervisory authorities and data subjects
- Signatures or equivalent execution details showing the designation was actually made
Some businesses also include references to the categories of processing, the relevant markets, or the supporting service framework. That can help, but the core issue is still clear written designation and defensible authority.
Why customers and regulators ask for it
Procurement teams do not ask for this document out of curiosity. They ask because visible GDPR gaps create contract risk. If you are a non-EU vendor handling EU personal data and you cannot show a valid appointment, your customer may question the rest of your compliance program too.
The same goes for regulators. An article 27 designation letter gives them a defined point of contact inside the EU. That does not eliminate your own obligations, and appointing a representative does not shift liability away from your company. But it does show that you took a required compliance step and created a workable channel for supervisory contact.
That practical point gets overlooked. Article 27 is not just about formalities. It exists because authorities and data subjects need an accountable route to reach non-EU companies. If your setup fails that basic test, enforcement risk rises quickly.
A weak letter creates almost as many problems as no letter
Not all designation letters carry the same weight. Some are tied to bare-bones address services that provide little beyond a postal location and email forwarding. On paper, that may look sufficient for a first pass. In a real inquiry, it can fail badly.
If a supervisory authority contacts your representative, timing and judgment matter. The representative may need to understand the legal issue, route it correctly, preserve records, and help your team avoid an avoidable mistake. A passive provider can become a bottleneck. Worse, they can make your compliance posture look cosmetic.
That is why sophisticated buyers increasingly ask who the representative is, not just whether one exists. They want to know if the appointment is backed by legal capability or by an inbox.
How to get an article 27 designation letter right
Start with the threshold question: are you actually in scope? If your company has no EU establishment but markets to EU residents, ships products into the EU, localizes pricing in euros, runs campaigns targeting EU countries, or tracks EU user behavior, assume the issue deserves a serious review.
Next, appoint a representative that can do more than receive mail. Your designation letter should reflect a real operational role. That includes handling authority inquiries, routing data subject requests, and supporting incident coordination when something goes wrong.
Then make sure the appointment is documented properly and reflected consistently across your privacy materials. Your privacy notice should identify the representative, and the underlying designation letter should match that disclosure. Mismatches create credibility problems fast.
Finally, treat the letter as part of a larger compliance file, not a one-time PDF. If your legal entity name changes, your representative changes, or your processing profile expands into new EU markets, the designation should be updated. A stale document is an easy target in diligence or enforcement.
Common mistakes US companies make
One common mistake is assuming Article 27 does not apply because the business has no office in Europe. That is backwards. Article 27 exists precisely because many companies subject to the GDPR do not have an EU establishment.
Another mistake is relying on a privacy policy update without executing a written appointment. Public disclosure is necessary, but it is not enough. The law expects a designation in writing.
A third is choosing the cheapest provider without asking what happens when a regulator writes in. Cheap representation can become expensive when your internal team is left decoding legal correspondence without local support.
This is where a lawyer-led service has an obvious advantage. A provider such as rep4eu is not selling a European mailing label. It is putting licensed attorneys and a formal legal structure between your company and a predictable category of regulatory exposure.
The business case is straightforward
For many companies, the value of an article 27 designation letter is not just legal compliance. It helps remove friction in sales cycles, answers customer diligence questions quickly, and shows your company understands how cross-border privacy compliance works in practice.
It also creates a cleaner internal process. When data subject requests or authority communications come in, your teams know where they go and who handles first-line intake. That is better than scrambling after the fact while legal, security, and customer teams argue over ownership.
If your company is already doing business in Europe, waiting until someone asks for proof is the expensive path. The smarter move is to make sure the appointment is real, the designation letter is signed, and the representative behind it can do the job when it counts.
The best article 27 designation letter is not the one that looks formal. It is the one backed by a representative who can stand up the moment your business is tested.