Make sure you are compliant or risk a fine from the relevant Data Protection Authority


Following the UK’s exit from the EU, the UK is now viewed as a “third country” by the EU. Under the EU GDPR’s Article 27, UK businesses operating in the EU without a physical presence are mandated to appoint a “GDPR Representative” within the EU. This representative acts as a bridge between the business, individuals, and data protection authorities, ensuring GDPR compliance.



We assist EU, UK, and overseas companies in navigating the data protection landscape. Our Article 27 GDPR Representative service ensures you remain compliant, facilitating smooth communication with data protection authorities.



Our tiered pricing is based on the size of your organisation in terms of employee headcount and number of entities to cover, an example of this can be found in the FAQs section. Please contact us for a tailored quote.

Average Years PQE

Clients Served

Transactions Handled

Countries Covered

Article 27 Representative Service FAQs

How does this work for foreign businesses that trade in the UK under the UK GDPR?

Under the UK GDPR, any non-UK based business that does not have a business presence in the UK, but which transacts business in the UK or monitors the behaviour of UK-based individuals must have a GDPR Representative in the UK. In this situation, organisations must appoint an EU and/or UK GDPR Representative in a relevant EU Member State and/or the UK. In certain situations, and as a consequence of Brexit, organisations may have to appoint a GDPR Representative in both the EU and the UK.

Why does this regulation exist?

The requirement of the Article 27 Representative has been put in place to provide the relevant Data Protection Authority with the ability to enforce the GDPR against entities that are out of the jurisdictional reach of the EU.

Who are the 360 Business Law Privacy Solutions Representatives?

Our representative services are provided by a team of expert lawyers, with in-depth experience of working with EU and UK regulators and advising on privacy compliance projects. The team, headed up by Duncan Gillespie, a solicitor admitted in England and Wales with nearly 25 years’ experience and a data privacy specialist, will work with our UK and EU legal teams enabling us to provide you with the legal guidance needed to respond effectively to inquiries by supervisory authorities or more complex interactions with data subjects.

What does a 360 Business Law GDPR Representative do?

EU or UK representatives have to meet the specific requirements. Our representatives are here to:

  • Understand your approach to GDPR and/or the UK GDPR (if applicable) compliance;
  • Dedicate time to understand your personal data processing activities and your approach to compliance.
  • Keep in touch with you so you’re up to date with respective changes to EU rules on personal data processing.
  • Act on your behalf in the EEA (including the EU) and/or the UK (if applicable);
  • Be named in your privacy notices as a point of contact in the EEA and/or the UK.
  • Act on your behalf with European and/or UK data protection authorities.
  • Be the contact point for data subject requests.
  • Maintain your record of processing activities (ROPA) as required the GDPR and/or the UK GDPR.

Additional optional services

Provide you with our assessment of your state of compliance with the GDPR and/or the UK GDPR

In the first year, we can undertake an initial audit of your privacy compliance or review an existing audit to help you ensure you are in line with applicable data protection requirements. In the following years, we can run an annual high-level audit to ensure you remain compliant over time.

How do the fines work?

The Commission can issue fines for not having an Article 27 Representative appointed in accordance with Article 83(4):

83 (4) Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
the obligations of the certification body pursuant to Articles 42 and 43;
the obligations of the monitoring body pursuant to Article 41(4).

Where can I find more information?

On 26th January 2021 we hosted a webinar on the subject which is available to stream On-Demand at

You can also contact us for a consultation to find out whether this service is right for your business.

How is the service priced?

The below pricing table is for UK businesses, if you are located in another jurisdiction and interested in this service, please contact us for a bespoke quote:


Size of business Number of entities covered Monthly cost 2023 Annual Cost 2023
Start-up – Founders only 1 £28.62 £309.10
Micros – <10 employees 1 £51.52 £556.37
Small – 11 – 49 employees 2 £91.58 £989.11
Lower mid-market – 50-249 employees 5 £217.51 £2,349.13
Upper mid-market 250 – 499 employees 10 £449.91 £4,859.00
Large 500 + Unlimited £549.50 £5,934.64
*Prices exclude VAT

What Our Clients Say

Data Protection Law News

Contact Us