When does your company need an EU representative according to article 27 GDPR?
Article 27 GDPR is adressing mainly non-EU companies. When you are providing services and products within the EU from the outside, this article requires you to have a repesentative within the EU.
When you are regularly doing business in the EU and you are providing products or services to people that are currently situated within the EU (they don’t necessarily need to be citizens of the EU), you are subject to GDPR including its article 27, which means you have to have a representative that is situated within the EU.
Representative: If your company has EU customers you need a representative within the EU. If you do not have an office in the EU, you will require an external service provider as your EU representative.
Why do you have to have a representative?
The respresentative is the touchpoint and a single point of contact for authorities and for data subjects in all matters regarding GDPR. If a local data protection authority wants to get in touch with you they are expecting that you have a representative sitting within the EU. The same is valid for data subjects that want to ask any questions or that want to have a data subject right being executed by you: they can also expect to have a contact point within the EU.
Important: Although this role of the reprensatitive is somewhat comparable to a data protection officer, the representative doesn’t step into your liability and responsability for processing personal data of EU data subjects.