EU Data Representative: What US pharma and biotech companies need to know

June 2026 

Article 27 GDPR applies to far more US life sciences companies than many realise 

Intro 

The extraterritorial reach of the General Data Protection Regulation (GDPR) is well known, yet many US pharma and biotech companies are surprised to learn that it applies to them, and even more surprised to learn about Article 27. If your organisation has no establishment in the EU but engages with EU based consumers, patients or trial participants, you are likely required to appoint an EU Data Representative ('EU Data Rep.'). For small and medium-sized life sciences companies expanding into EU, this is one of the first compliance obligations to address, and one of the most frequently missed. 

Details 

When does Article 27 apply? It applies to controllers and processors not established in the EU that offer goods or services to individuals in the EU, or monitor their behaviour. The goods or services do not need to be paid for, and the obligation applies regardless of company size. 

Common triggers in the pharma sector include: running clinical trials with EU sites or participants, including decentralised trials collecting data remotely from individuals in the EU; patient support, early access or compassionate use programmes involving EU patients; companion health apps and wearables available to EU users; and pharmacovigilance activities involving the personal data of EU patients. 

The exemption rarely helps pharma. Article 27 contains a narrow exemption where processing is occasional, low risk and does not include, on a large scale, special categories of personal data. Health data, genetic data and biometric data are all special categories. For most life sciences companies, the exemption is simply unavailable. 

A separate obligation from your clinical trial legal representative. Sponsors outside the EU appoint a legal representative under the Clinical Trials Regulation (EU) 536/2014. This is a distinct obligation and does not satisfy Article 27 GDPR. Many US sponsors assume one appointment covers both. It does not. 

What the EU Data Rep. does. Once appointed in writing, the EU Data Rep. acts as the contact point for EU supervisory authorities and data subjects, supports the handling of data subject requests, retains records of processing activities, and must be named in your privacy notices. Importantly, the representative does not assume your liability: your organisation remains accountable for GDPR compliance. 

Key takeaways 

• US pharma and biotech companies without an EU establishment frequently fall within Article 27 GDPR. 

• Clinical trials, patient programmes, health apps and pharmacovigilance involving individuals in the EU are typical triggers. 

• The Article 27 exemption rarely applies in life sciences because health data is a special category. 

• A Clinical Trials Regulation legal representative does not satisfy the GDPR requirement. 

• Failure to appoint an EU Data Rep. where required can result in fines of up to 2% of global annual turnover. 

Further Reading 

• Art. 27 GDPR - Representatives of controllers or processors not established in the Union: https://gdpr-info.eu/art-27-gdpr/ 

• EDPB Guidelines 3/2018 on the territorial scope of the GDPR: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en 

At Rock Consultancy, we provide scalable and comprehensive EU and UK Data Rep. services specifically designed for companies navigating EU and UK compliance requirements. 

For any queries on this article or how Rock Consultancy can support your organisation, please contact us at info@rockconsultancy.ie