A practical guide for non-EU companies targeting individuals in Italy or elsewhere in the Union, and trying to understand when Article 27 applies, what the representative must actually do, and why the issue is often mishandled in practice.

This article is the third in P&S Legal’s series on GDPR and foreign companies in Italy. The first instalment — Foreign companies doing business in Italy: when does GDPR fully apply? — addressed when the GDPR fully applies to foreign companies doing business in Italy. The second — Italian branch, local unit, sales office or distributor: which privacy obligations are triggered? — examined how different operational models activate different GDPR obligations. This third article focuses on a narrower but commercially important point: Article 27 GDPR and the obligation for certain non-EU controllers and processors to appoint a representative in the Union.

Why Article 27 is frequently misunderstood

Article 27 is one of the most regularly mishandled provisions in cross-border data protection practice. Part of the problem is conceptual. Many non-EU companies assume that appointing an EU representative is a technical formality, similar to adding a line to a privacy notice or naming an external compliance contact. Others make the opposite mistake and assume that, if no branch or subsidiary exists in the Union, the representative can somehow substitute for a proper territorial-scope analysis. Both views are wrong.

The legal logic is more demanding. Article 27 sits downstream from Article 3(2). It becomes relevant when a controller or processor is not established in the Union, yet the relevant processing still falls within the GDPR because the organisation offers goods or services to individuals in the Union or monitors their behaviour there. The representative requirement is therefore not an alternative to territorial-scope analysis; it is one of the consequences that can follow from it.

This is also why the issue matters commercially. A company may believe it has no real European footprint because headquarters, servers and decision-makers are outside the EU. But if it targets users, customers, job candidates, website visitors or app users in Italy or elsewhere in the Union, the GDPR can still apply, and Article 27 may become mandatory. By the time that point is discovered during a contract negotiation, diligence exercise, regulatory inquiry or internal audit, the absence of a valid representative often reveals a wider governance problem rather than a standalone paperwork gap.

When is an EU representative actually required?

In practical terms, the obligation usually arises where three elements are present at the same time:

  1. The controller or processor is not established in the Union.
  2. The relevant processing falls within Article 3(2) GDPR because goods or services are offered to individuals in the Union, or behaviour in the Union is monitored.
  3. No exemption under Article 27(2) applies.

That framework matters because companies sometimes skip directly to the representative question without first isolating the processing activity that creates the territorial hook. That is the wrong sequence. Article 27 should be analysed processing by processing, not only entity by entity. The fact that a non-EU company has some contact with Europe does not automatically mean every data flow across the group requires a representative. But where a particular processing operation clearly targets individuals in the Union or tracks their behaviour there, the issue becomes live very quickly.

For foreign companies with interests in Italy, the trigger is often easier to reach than business teams assume. The offering limb can arise through Italian-language websites, euro pricing, delivery into Italy, Italian customer onboarding, local support channels, or active targeting of Italian prospects. The monitoring limb may arise through behavioural advertising, app analytics, cookies and trackers, profiling, location-based functionality, device fingerprinting, fraud-detection tools or similar technologies used in relation to individuals in Italy or elsewhere in the Union.

The exemption exists, but it is narrower than many businesses think

Article 27(2) provides an exemption, but it should be handled with caution. The representative obligation does not apply where the processing is only occasional, is unlikely to result in a risk to the rights and freedoms of natural persons, and does not include on a large scale special categories of data or data relating to criminal convictions and offences.

In practice, this is not a comfortable exemption for many growth-stage or operational businesses. Repeated customer acquisition in the EU, recurring website tracking, structured CRM activity, platform onboarding, regular support interactions, SaaS account management, recruitment into EU markets or sustained app analytics rarely look truly occasional. Even where volumes are moderate, the processing may still be continuous enough to make reliance on the exemption fragile.

This is one of the most common implementation errors. Companies sometimes treat Article 27 as optional because they are not yet ‘large’ in Europe. That is not the test. The real question is whether the processing is genuinely occasional and low-risk in the sense contemplated by the Regulation. For many non-EU businesses with a live EU-facing operating model, the safer answer is often that the exemption should not be relied on without a disciplined legal analysis.

What the representative is and what it is not

A properly designated EU representative is not a symbolic mailbox. Under Article 27 and Recital 80, the representative must be designated by written mandate and may be addressed by supervisory authorities and data subjects, in addition to or instead of the controller or processor, on issues related to the relevant processing. Recital 80 is explicit on this point: the representative should act on behalf of the controller or processor and may be addressed by any supervisory authority. That makes the role operational, not ceremonial. It requires clear scope, documented authority, reliable escalation lines and an internal process for responding to requests.

At the same time, the role has important limits. Designating a representative does not create an ‘establishment’ of the controller or processor in the Union for the purposes of Article 3(1). The European Data Protection Board says this expressly in its Guidelines 3/2018 on territorial scope. The representative is also not the controller, not the processor, and not a substitute for the allocation of accountability within the business. Article 27(5) makes clear that legal action may still be initiated against the controller or processor themselves - the designation does not transfer responsibility or create any form of liability shield. This is one of the most commercially consequential misunderstandings: a representative cannot be used to distance the business from its own data protection obligations.

This distinction matters because Article 27 is often mishandled in two opposite directions. Some companies appoint a representative and assume that the broader architecture of transparency, lawful basis, role allocation, security, incident handling and international transfer governance can be addressed later. Others outsource the role to a service provider but give that provider almost no operational visibility, no written mandate of real use, and no process for handling regulator contact. In both scenarios, the representative exists on paper but is structurally weak in practice.

Where should the representative be established?

Article 27 does not allow a purely arbitrary choice. The representative should be established in one of the Member States where the data subjects whose personal data are processed in relation to the offering of goods or services or the monitoring of behaviour are located. That means the answer depends on the geographic footprint of the relevant processing, not simply on where the company prefers to buy the service.

For a non-EU company specifically targeting Italy, an Italian representative may be commercially and operationally sensible, particularly where Italian-language notices, local customer interactions or realistic contact with the Garante per la protezione dei dati personali may arise. Italy’s supervisory authority has an active enforcement posture in areas such as cookies, behavioural tracking, marketing and employment-related processing — all contexts in which an Article 27 representative may find itself as the practical first point of contact. But Italy is not legally mandatory in every case. If the relevant processing targets several Member States, the representative may be established in any one of the Member States where affected data subjects are located. What matters is that the designation reflects the actual territorial scope of the processing and can operate credibly in practice.

One further point is often missed. The mere presence of a representative does not create a main establishment and does not, by itself, trigger the one-stop-shop mechanism. The EDPB’s Guidelines 9/2022 on personal data breach notification state this expressly. For non-EU entities subject to Article 3(2), that can have concrete consequences: in a breach scenario, the controller may still need to notify more than one supervisory authority depending on where affected individuals are located.

Why Article 27 is often mishandled in practice

The recurring failures are not usually doctrinal. They are operational:

  1. Territorial scope is analysed too late. The business launches first, and the representative question is left until a contract, diligence request or complaint exposes the gap.
  2. The wrong processing perimeter is used. Businesses appoint one representative for the group without checking which entity, product line or processing stream is actually caught by Article 3(2).
  3. No real written mandate exists. The arrangement may exist commercially, but the legal authority, escalation process and coverage of duties remain vague.
  4. The representative is confused with other roles. An EU representative is not the same thing as a DPO, local counsel, importer under Chapter V, or a general corporate contact point.
  5. Privacy notices and internal documentation are not aligned. The representative is omitted, described inaccurately, or not integrated into rights-handling and regulator-response workflows.
  6. Multi-jurisdiction operational reality is ignored. A representative is appointed in one Member State even though the company has not mapped which EU markets are actually targeted, what languages are required, or which authorities might become relevant.

For foreign companies operating into Italy, those failures often have a second-order effect. Once Article 27 has been mishandled, it is common to discover that records of processing, controller-processor contracts, transparency layers, cookie governance, complaint handling and transfer mechanisms are also incomplete. In other words, a defective representative appointment is often a symptom of a broader governance design problem.

A practical assessment framework before launch or remediation

Before launch - or as part of a remediation exercise - non-EU companies should usually test at least the following points in sequence:

1.     Which processing activities fall within Article 3(2), and on what basis: offering, monitoring, or both?

2.    Which non-EU entity or entities act as controller or processor for those processing streams?

3.    Does the Article 27(2) exemption genuinely apply, or is the processing too regular, too structured or too risky for that position to be robust?

4.    In which Member State should the representative be established, given where relevant data subjects are located?

5.    What must the written mandate cover in operational terms, including escalation, response handling, supervisory authority contact and coordination with local counsel or compliance teams?

6.    Which adjacent GDPR obligations need to be reviewed at the same time, including transparency, records, contracts, transfers, incident handling and, where relevant, DPIAs?

That sequence matters. Companies that treat the representative as a stand-alone checkbox often fix the most visible symptom while leaving the surrounding governance architecture untouched. The better approach is to use Article 27 as a forcing mechanism to map responsibility, processing scope and EU-facing operating reality - and to translate that mapping into governance choices and operational responsibilities that can hold up under contract review, data-subject scrutiny and supervisory authority contact.

Conclusion

Article 27 is not the centre of the GDPR, but for non-EU companies it is often one of the clearest indicators that territorial-scope analysis has moved from theory into operational consequence. The real question is not whether a representative can be named quickly. The real question is whether the business has correctly identified the processing caught by Article 3(2), chosen a representative model that matches that footprint, and translated that assessment into governance choices that can hold up under contract review, data-subject scrutiny and supervisory authority contact.

For non-EU companies with interests in Italy, a mishandled Article 27 position is rarely an isolated defect. It usually points to a wider gap between the company’s EU-facing business model and the way privacy responsibilities, documentation and response workflows have actually been designed.

If your company offers goods or services into Italy or monitors individuals in Italy from outside the EU, Article 27 should be assessed before the absence of a valid representative becomes part of a wider governance problem.

P&S Legal works with non-EU companies and international groups to map the GDPR exposure created by their EU-facing operating model and design the governance architecture needed to address it.

Where appropriate, we help clients assess Article 27 exposure, define representative strategy, align privacy documentation and address the Italian implications of cross-border data flows, local-facing operations and regulator-facing accountability.