Blog
Compliance
GDPR
April 27, 2026
Approx 8 min read

EU Representative Rules for UK Exporters in 2026

If you run a UK business that sells into the EEA or tracks EU users, the EU representative question has not gone away in 2026. Supply-chain exposure to EU personnel data sits in the same bracket. The rules around GDPR and Brexit are often treated as settled at board level, even where the detail is still misread.

Two things have happened in the last twelve months that matter. In December 2025, the European Commission renewed the UK's adequacy status for six years. In February 2026, the main data protection provisions of the Data (Use and Access) Act 2025 commenced. Neither changed Article 27 of the UK or EU GDPR. The requirement to appoint an EU representative, in writing, in a Member State where your data subjects are located, still applies to UK controllers and processors offering goods or services to the EEA or monitoring EEA behaviour.

The question most UK exporters are actually asking is whether they fall inside Article 27 in the first place, and if so, what appointing a representative looks like in practice. This piece works through both.

GDPR After Brexit: What Actually Changed for UK Exporters

After the transition period ended in January 2021, the UK GDPR came into force alongside the Data Protection Act 2018. The EU GDPR did not stop applying to UK organisations. It continues to apply extraterritorially under Article 3(2) wherever a UK business offers goods or services to people in the EEA or monitors their behaviour.

That is the central point of GDPR after Brexit. One UK regime governs processing inside the UK. The EU regime governs UK-facing activity directed at the EEA. The two operate in parallel. Appointing an EU representative under Article 27 of the EU GDPR is how a UK controller or processor puts itself in formal reach of EU supervisory authorities and data subjects.

The UK's mirrored Article 27 inside UK GDPR works in reverse. EU and EEA firms offering goods or services to UK residents, or monitoring UK behaviour, have to appoint a UK representative. The two obligations are separate, and meeting one does not discharge the other.

Is GDPR Still Valid in the UK? The 2026 Position

GDPR is still valid in the UK. What operates in the UK is the UK GDPR, a near-identical version retained after Brexit and since amended by the Data Protection Act 2018 and, in part, the Data (Use and Access) Act 2025. The ICO remains the regulator. Enforcement powers remain intact. Boards being told that GDPR no longer applies in the UK are working from a misreading of the post-Brexit settlement.

When UK GDPR Requires You to Appoint an EU Representative

The trigger is Article 3(2) of the EU GDPR. A UK controller or processor needs an EU representative if it processes the personal data of individuals in the EEA in connection with either:

  • offering goods or services to them, whether payment is required or not
  • monitoring their behaviour as far as that behaviour takes place inside the EEA

Offering goods or services is assessed on intent. An English-only website that happens to be visible in Dublin does not automatically meet the test. A site that prices in euros, lists EU shipping options, runs EU paid media, or localises to French or German does. Monitoring behaviour covers analytics, session recording, profiling, ad targeting, and image-based identification. The Upper Tribunal's October 2025 decision in the Clearview AI case confirmed that scraping and matching facial images of UK residents sat inside monitoring of behaviour for the reciprocal UK regime. The reasoning applies the other way round too.

If either limb is triggered, an EU representative is required unless a narrow exemption applies.

The Article 27 Exemption: Occasional Processing in Practice

Article 27(2)(a) exempts a controller or processor from the representative requirement only when all three of the following conditions are met at once:

  • the processing is occasional
  • it does not include large-scale processing of special category data under Article 9, or criminal convictions and offences data under Article 10
  • it is unlikely to result in a risk to the rights and freedoms of natural persons

EDPB Guidelines 3/2018 on territorial scope treat this exemption as narrow. Occasional describes the pattern of processing rather than the volume. Regular or repeated processing will not qualify, even if the headcount is small. Any ongoing SaaS relationship or subscription product will usually fall outside the exemption, as will recurring clinical or financial services.

Public authorities have a separate carve-out under Article 27(2)(b). It does not extend to private sector controllers such as healthtech vendors or defence suppliers. Most UK businesses with EEA customers or EEA end users will not qualify. The safest reading is to treat the exemption as a last-resort position. Document the reasoning in writing and revisit the analysis every six months.

What the Data (Use and Access) Act 2025 Did and Did Not Change

The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. The main data protection provisions commenced on 5 February 2026 under the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026 (SI 2026/82). Further provisions covering data subject complaints are due to commence on 19 June 2026.

The ICO has been explicit that the DUAA amends, but does not replace, the UK GDPR, the Data Protection Act 2018, and PECR. Article 27 of the UK GDPR is unchanged, and the EU GDPR is outside the reach of UK legislation in any case. The DUAA does not touch the EU representative obligation on UK exporters.

Two practical implications follow. First, any 2026 compliance programme that assumes DUAA has lightened Article 27 duties for UK-facing activity is working off a misreading. Second, the EU-facing obligation is a separate legal exposure that UK businesses need to price into their market-access cost, alongside any DUAA-driven updates to internal documentation.

UK-EU Adequacy and the EU Representative Rule

On 19 December 2025, the European Commission adopted renewed adequacy decisions for the UK under both the GDPR and the Law Enforcement Directive. The new decisions run for six years, until 27 December 2031, with a joint Commission and EDPB review after four years (European Commission, IP/25/3059).

Adequacy means personal data can flow from the EEA to the UK without additional transfer safeguards such as Standard Contractual Clauses. It does not remove the EU representative requirement. Adequacy governs the legal basis for the transfer itself. Article 27 sits one layer up, on whether a UK business is itself subject to the EU GDPR for its own processing activity. The two questions sit in different parts of the regulation and need to be answered independently.

Sector Scenarios: Healthtech, Fintech, Defence, SaaS

The clearest way to test Article 27 is against real commercial patterns.

Healthtech

A UK digital health company whose app is used by EU patients during travel, or that runs research collaborations with EU clinical partners, will almost always need an EU representative. Patient data is special category under Article 9, processing is regular rather than occasional, and the Article 27(2) exemption cannot apply. Even where the EU data volume is low, the character of the data closes the exemption route.

Fintech

A UK firm offering consumer or SME financial services to EEA residents triggers Article 3(2) through the offering-goods-or-services limb. FCA authorisation does not create any Article 27 exemption. Post-Brexit passporting has ended, so most UK fintechs reaching EU customers are doing so via reverse solicitation or local partnerships, with some setting up new EU entities. The EU representative obligation sits on top of whichever structure is used, wherever the UK entity is the controller.

Defence

UK primes and tier-one suppliers handling EU personnel data inside consortium work will typically need an EU representative where they are controllers or joint controllers. The public authority exemption under Article 27(2)(b) does not extend to commercial defence contractors. Processor-only arrangements still trigger Article 27 for the processor, even where the EU controller carries the primary relationship with data subjects.

SaaS

A UK-hosted platform with EEA end users is inside Article 27 in almost all cases. SaaS is by definition recurring. Analytics, session recording, personalisation, and retargeting all sit inside monitoring of behaviour. The Clearview reasoning confirms that passive data capture counts. A UK SaaS vendor relying on an "EU business is the customer, EU individuals are not our data subjects" argument should test that position carefully against the contract and the data model, paying particular attention to how the marketing is pitched.

What Happens If You Do Not Appoint an EU Representative

Article 27 breaches fall inside the higher tier of Article 83(4). Maximum fines reach €10 million or 2% of total worldwide annual turnover, whichever is higher. UK enforcement in the reciprocal direction reaches £8.7 million under the same 2% tier.

Enforcement has teeth in practice. The Dutch DPA fined Locatefamily.com €525,000 in 2021 specifically for failing to designate an EU representative. The Italian Garante fined Clearview AI €20 million in 2022, and the ICO issued a £7.5 million penalty in the UK the same year. The First-tier Tribunal initially overturned the ICO's Clearview notice on jurisdictional grounds. On 6 October 2025 the Upper Tribunal reversed that decision and remitted the case, confirming that Clearview's processing related to monitoring of UK residents' behaviour and sat within UK GDPR scope. The direction of travel on scope has been expansive across both jurisdictions.

Article 27(5) is explicit that appointing a representative does not shift legal responsibility, a point regularly misunderstood at board level. The controller or processor remains liable for its own processing. A representative acts as a designated point of contact for supervisory authorities and data subjects, without absorbing any liability from the controller.

What to Put in Place

A defensible 2026 position usually looks like this. A documented territorial scope analysis that records whether Article 3(2) applies, and which limb is triggered. A written mandate with a designated representative in a Member State where data subjects are concentrated. Representative contact details published in the privacy notice and reachable to supervisory authorities. A review cadence that revisits the scope analysis at least annually or when materially new markets, products, or data flows are added.

The written mandate should set out the scope of the representative's authority, record-keeping obligations, cooperation with the competent supervisory authority, and availability to data subjects. The EDPB is clear that a vague or unwritten arrangement will not satisfy Article 27.

How Naq Handles GDPR Alongside Other Frameworks

The Naq platform is built to automate UK GDPR evidence alongside ISO 27001, NHS DSPT, DTAC V2 and DCB 0129 from a single dashboard. Controls are mapped across frameworks, so one piece of evidence satisfies multiple requirements at once, rather than being collected three times. Adjacent frameworks supported include Cyber Essentials, MOD Secure by Design and JOSCAR-aligned defence evidence.

Article 27 exposure rarely sits in isolation. It sits alongside Records of Processing Activities under Article 30, lawful basis documentation, DPIAs, transfer paperwork, and the ISO 27001 Annex A controls that supervisory authorities treat as Article 32 evidence. The platform is built to surface those linkages so that one piece of evidence does not need to be produced and re-produced across five different audits. Naq also operates a Netherlands entity that can act as Article 27 representative for UK exporters in scope of the EU GDPR.

Where teams want named expert support, Naq's in-house virtual DPOs and Clinical Safety Officers sit alongside the platform where Article 27 analysis, representative selection or a full DPIA programme needs specialist input.

To see how Article 27 obligations and EU GDPR evidence map across your existing tooling and frameworks, book a 15-minute demo

Written by
The Naq Team
Share
Share
Compliance
ISO 27001
ISO 27001 Certification: The UK Business Guide for 2026
April 16, 2026
Compliance
GDPR
GDPR Small Business Compliance: The 2026 UK Guide
April 27, 2026
Compliance
ISO 27001
Cyber Essentials
NHS DSPT
Multi-Framework Compliance Strategy: Save Time and Money
April 16, 2026
Compliance
NHS DSPT
NHS DTAC
How Are NHS Buying Decisions Really Made?
February 16, 2026
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy