EU Representative - General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 imposes extraterritorial obligations on companies that are not established in the EU or EEA.

According to Article 27 of the GDPR, all Processors / Controllers operating outside the European Union (EU) who handle personal data of individuals within the EU and are offering goods or services to EU residents or monitoring their behavior within the EU, must appoint a EU Representative – General Data Protection Regulation (GDPR).

Article 27

Representatives of controllers or processors not established in the Union


1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

2. The obligation laid down in paragraph 1 of this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.

3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

GDPR data

Which organizations are required to appoint a GDPR representative?

GDPR applies to all organizations that process personal data of individuals in the EU, independently on where the organization is located (even outside the EU) and type of industry (e.g. online platforms, hosting services, IT services, electronic communications, medical devices, etc.).

To assess whether your company falls within the scope of the EU GDPR, it is best to answer the following questions in terms of Article 3 (2) of the GDPR:

  • Does your company offer goods or services to individuals who are located in the EU?, or
  • Does your company monitor the behavior of individuals who are in the EU?

In general, GDPR applies if you hold any personal data on anyone in the EU:

  • if you have any customers in the EU and hold their name, phone number or credit card number or
  • if your website uses tracking cookies or pixels and anyone from the EU visits your site, GDPR regulation apply to you, regardless of your location.

Medical Device Companies Without EU Establishment: Who Needs a GDPR Representative?

  1. Artificial Intelligence in Medical Devices: AI applications in medical devices often process personal data, including data from EU citizens used in training machine learning systems or applied to personal data for individual assessments.
  2. Medical Device Mobile Apps: GDPR mandates compliance for mobile apps that collect and process personal data of EU citizens, regardless of the app’s operational base.
  3. Implantable Devices: implantable medical devices equipped with software can transfer data to external systems. If manufacturers receive such data from healthcare providers, they are processing personal data, necessitating GDPR compliance. Additionally, the implant ID number may be linked to a database containing personal details about the individual, further underscoring the importance of adhering to GDPR regulations.
  4. Clinical Activities: Manufacturers involved in Clinical Investigations (under MDR), Performance Studies (under IVDR), or Clinical Trials (for medicinal products) must comply with GDPR, based on data retention periods. It’s important to note that the representative required under Article 62.2 of the MDR cannot be considered an “establishment” for GDPR purposes.
  5. Supplier Surveys in Europe: Engaging with supplier surveys in Europe necessitates GDPR compliance due to data processing activities involved.
  6. Post-Market Clinical Follow-Up: Manufacturers who perform and collect clinical data from various sources like patient registries and health records involving processing personal data, requires GDPR adherence.
  7. Customer Feedback and Complaints: Processing feedback from end-users in the EU means dealing with personal data, thereby triggering GDPR compliance. Manufacturers must establish procedures for handling such data securely.
  8. Marketing and Communications: Manufacturers with a website or a “contact us” page collecting personal data must comply with GDPR if they intend to enter or have a presence in the EU market.

What risks do organizations face for non-compliance with Article 27?

Be subject to administrative fines up to 10,000,000 EUR, or up to 2% of the total worldwide annual turnover from the preceding financial year—whichever is higher. Additionally, the GDPR empowers individuals whose data rights have been breached to initiate legal action. Such breaches and instances of non-compliance can quickly become evident.


Ensure your organization adheres to these regulations to avoid potential financial and legal repercussions.
It's safer to appoint an EU Representative and ensure compliance rather than face the risks associated with non-compliance!

Let us be your solution!

At MDSS, we ensure your business’s compliance with the General Data Protection Regulation (GDPR) through our comprehensive services:

  • Contact Point for Compliance: MDSS serves as the primary contact point for supervisory authorities and data subjects regarding all processing-related issues, ensuring GDPR compliance (Article 27.4).
  • Cooperation with Supervisory Authority: MDSS cooperates with supervisory authorities upon request, assisting in the performance of their tasks in line with Article 31.
  • Information Provision: We provide necessary information to supervisory authorities as required for the fulfillment of their tasks, as per Article 58.
  • Record of Processing Activities (RoPA): We verify and maintain the record of processing activities on behalf of the Processor/Controller, as outlined in Article 30.1 and 30.2, keeping it readily available in electronic form and providing it to the supervisory authority upon request (Article 30.4).

MDSS can assist you with your RoPA. Afterwards, you can list the details of your EU GDPR Representative on your website, apps, terms of business, and consent forms right away. If we receive any contact from someone in the EU on your behalf, we will forward it to you and assist with any further communication as needed.

Failure to comply with this regulation could result in significant penalties. To ensure adherence to GDPR requirements and avoid legal consequences, it’s imperative for Processors/Controllers outside the EU to designate a representative within the EU.

Still not sure if you need to appoint a data protection representative?

Get a free assessment consultation!