Five myths about the EU Data Representative that put US companies at risk June 2026

June 2026.

'We're too small', 'we don't charge EU users', 'our vendor handles it': why these assumptions fail

Intro

Article 27 GDPR requires organisations without an EU establishment that offer goods or services to individuals in the EU, or monitor their behaviour, to appoint an EU Data Representative ('EU Data Rep.'). In our work with US companies, the obligation is rarely ignored deliberately. More often, it is missed because of a handful of persistent myths.

Here are the five we hear most, and why each one fails.

Details

Myth 1: 'We're too small for the GDPR to notice us.'

Article 27 contains no small-company exemption. The obligation turns on what data you process, not how big you are, and European regulators increasingly act against small and medium-sized organisations, not just big tech.

Myth 2: 'We don't charge EU users, so we're fine.'

Payment is irrelevant. A free app, a free patient portal or a free trial recruitment site offered to individuals in the EU can trigger Article 27 just as readily as a paid service.

Myth 3: 'Our CRO, distributor or EU partner handles it.'

The appointment must be made in writing by your organisation, as controller or processor. A vendor's own compliance does not transfer to you, and controllers and processors each carry their own Article 27 obligations.

Myth 4: 'Our DPO covers it.'

The Data Protection Officer and the EU Data Rep. are distinct roles with different functions: the DPO advises and monitors compliance internally, while the EU Data Rep. is the locally accessible contact point for EU regulators and individuals. Combining them creates a conflict of interest, and having one does not discharge the other.

Myth 5: 'We'll deal with it if a regulator ever contacts us.'

By then, you are already in breach. Your privacy notice must name your representative today, and data subjects must be able to reach them today. The Dutch Data Protection Authority fined Locatefamily.com EUR 525,000 for failing to appoint an EU representative, with additional periodic penalties until compliance was achieved. Fines for an Article 27 breach can reach 2% of global annual turnover.

The common thread is that each myth treats the EU Data Rep. as someone else's problem, or tomorrow's problem. The GDPR treats it as yours, and today's.

Key takeaways

There is no size threshold: Article 27 applies to SMEs as readily as to multinationals.

• Free goods and services offered to individuals in the EU can trigger the obligation.

• Vendors, partners and DPOs do not discharge your own Article 27 duty.

• Non-compliance is visible: a missing representative in your privacy notice is easy for regulators and complainants to spot.

• Enforcement is real: Locatefamily.com was fined EUR 525,000, and fines can reach 2% of global annual turnover.

  
  

Further Reading

• Art. 27 GDPR - Representatives of controllers or processors not established in the Union: https://gdpr-info.eu/art-27-gdpr/

• Dutch DPA imposes fine of EUR 525,000 on Locatefamily.com: https://www.edpb.europa.eu/news/national-news/2021/dutch-dpa-imposes-fine-eu525000-locatefamilycom_en

At Rock Consultancy, we provide scalable and comprehensive EU and UK Data Rep. services specifically designed for companies navigating EU and UK compliance requirements.

To appoint Rock Consultancy as your EU & UK Data Rep contact us at info@rockconsultancy.ie