Article 27 vs Establishment: What's the Difference?

A US SaaS company can have thousands of customers in Germany, France, and Spain without an EU office. It may still be subject to the GDPR, and it may need an EU Representative. The Article 27 vs establishment distinction determines which compliance path applies - and getting it wrong can leave a visible gap in your privacy program.

The short version is straightforward: appointing an EU Representative under GDPR Article 27 does not create an EU establishment. A representative is your legally designated point of contact in the EU. An establishment is a real, stable business presence through which you conduct activity. They are not interchangeable, and a mailbox address cannot safely stand in for either one.

Article 27 vs establishment: the core legal difference

GDPR Article 27 applies to controllers and processors that are not established in the European Union but fall within the GDPR's territorial scope. This commonly includes non-EU businesses that offer goods or services to people in the EU or monitor their behavior, such as through behavioral advertising, tracking, profiling, or analytics tied to EU users.

If your company is caught by those rules and no exception applies, you must appoint an EU Representative in writing. The representative must be established in an EU member state where the relevant individuals are located. That representative serves as a contact point for supervisory authorities and data subjects on GDPR matters.

An EU establishment is something different. It is not limited to a local subsidiary or branch. Under GDPR practice, an establishment can arise where a company has real and effective activity in the EU through stable arrangements. That may include a staffed office, an EU team that performs meaningful business functions on an ongoing basis, or a local operation that is genuinely part of your commercial activity.

The legal structure matters less than the facts. Incorporating a European entity is strong evidence of an establishment, but not the only way to have one. Conversely, using an EU law firm or representative service does not turn your US company into an EU-established company.

Why an EU Representative does not create an establishment

An Article 27 Representative acts on your behalf for defined GDPR-facing functions. The role is designed for companies without an EU establishment. If the appointment itself created one, Article 27 would defeat its own purpose.

A legitimate representative does not run your product, negotiate your commercial contracts, manage your EU workforce, or make operational decisions for your business. The representative receives regulatory correspondence, helps route and coordinate data subject requests, and supports responses when an authority contacts you. Your company remains the controller or processor, and it remains responsible for compliance.

This distinction is especially important for companies trying to avoid unnecessary European corporate infrastructure. You can appoint a representative without opening an EU office, forming a subsidiary, registering a branch, or putting employees on the ground. Article 27 is a GDPR representation requirement, not a market-entry vehicle.

It also means a passive address provider is not enough. Regulators and data subjects need a functioning contact point that can receive, understand, escalate, and coordinate legal communications. A provider that only forwards an email may leave your business exposed precisely when speed and judgment matter most.

What counts as an EU establishment?

There is no one-question test. The assessment depends on your actual operating model, not the label you apply to it.

A single EU employee does not automatically mean you are established in the EU. But an employee or team working continuously from the EU on sales, customer support, product operations, or other meaningful commercial activity can change the analysis. So can a long-term local office, a branch, or a European entity conducting activity tied to the processing at issue.

A few situations often cause confusion:

  • An EU subsidiary: This may create an establishment, particularly where the subsidiary's activity is connected to the processing of personal data. A separate corporate entity is not an automatic answer either way, but it demands a serious analysis.
  • Remote EU employees: A founder hiring a sales lead in Ireland or a support team in Portugal should not assume remote work is legally invisible. Stable, ongoing activity can matter.
  • Cloud hosting in Europe: Using EU data centers alone does not usually create an establishment. Infrastructure is not the same as your own stable business presence.
  • An independent distributor: A reseller or distributor may not create an establishment for you, but the contractual relationship and actual control matter. Do not rely on the word “independent” without examining the facts.

This is why companies should reassess their position as they scale. A business that properly relied on Article 27 when it had no EU footprint may need a different GDPR structure after opening a European office or building an EU-based team.

If you have an establishment, Article 27 is not the solution

Article 27 is for companies that are not established in the EU. If you do have an EU establishment, your obligations may instead arise under GDPR Article 3(1), which covers processing in the context of activities of an establishment in the EU.

That does not mean your compliance burden becomes lighter. It may become more complex. You may need to determine which entity is the controller or processor, document the relationship between group companies, assess international data transfers, and identify the appropriate supervisory authority.

Companies sometimes assume that any EU presence automatically gives them access to the GDPR's one-stop-shop mechanism. That is not a safe assumption. The one-stop-shop concept depends on specific conditions, including whether there is a qualifying main establishment and where key decisions about processing are made. An EU mailing address or a nominal entity created for paperwork will not necessarily deliver those benefits.

The practical question is not, “Can we call ourselves established?” It is, “Where is our real EU activity, who makes data-processing decisions, and what does that mean for our regulatory obligations?”

When a non-EU company must appoint an Article 27 Representative

For most US businesses, the analysis starts with GDPR Article 3(2). You are likely in scope if you intentionally offer products or services to people in the EU, even where the service is free, or if you monitor their behavior in the EU.

Signals can include accepting EU customers, pricing in euros, shipping to EU countries, running EU-targeted campaigns, offering local-language checkout flows, or tracking EU visitors for advertising and analytics. None of these factors should be viewed in isolation, but together they can show that the EU market is part of your intended business activity.

Article 27 has narrow exceptions. You may not need a representative where the processing is occasional, unlikely to create a risk to individuals' rights and freedoms, and does not involve large-scale processing of special-category data or criminal-offense data. Public authorities and bodies are also excluded.

Those exceptions are narrower than many companies expect. A consumer app, ecommerce brand, B2B SaaS platform, ad-tech provider, or business with recurring EU users will often struggle to characterize its processing as merely occasional. If EU-facing activity is part of your growth strategy, treat the requirement as an operating obligation, not a theoretical edge case.

A practical decision process for US businesses

Start by mapping your EU touchpoints. Identify whether you sell to EU residents, market to them, or track their online behavior. Then identify every EU-based person, office, entity, contractor relationship, and long-term operational function connected to the processing.

Next, determine whether those facts amount to a stable and effective EU presence. If they do, obtain legal advice on the implications of establishment rather than trying to force an Article 27 approach. If they do not, assess whether Article 3(2) applies and whether an Article 27 exception is genuinely available.

Where a representative is required, appoint one formally and make the designation available as appropriate in your privacy documentation. Your representative's contact details should be clear, current, and capable of handling real requests. A regulator should not encounter a dead-end inbox. A data subject should not have to chase multiple parties to exercise a basic right.

A lawyer-led representative can also strengthen operational readiness. At rep4eu, licensed German attorneys provide formal EU Representative coverage, triage authority and data subject communications, and help coordinate the response process when a request or incident cannot wait.

The business risk is not limited to fines

Missing Article 27 coverage can create immediate friction before an authority ever contacts you. Enterprise customers may flag the absence during procurement. Privacy questionnaires may expose an unclear EU contact structure. A data subject request may be delayed or mishandled because no one owns the European-facing response.

The bigger problem is credibility. If your privacy notice says you serve EU users but provides no required representative details, the gap is public. It signals that compliance has been treated as a template exercise rather than an operational commitment.

An EU Representative will not solve every GDPR obligation, and it should never be used to disguise an actual EU establishment. But for non-EU companies with no EU presence, it is the correct legal bridge between your business and the people and authorities you affect. Build that bridge before a customer, regulator, or urgent request tests whether it can carry the weight.