EU/UK Representative vs DPO: what’s the difference?

AI & Data
Written By Shayne Adler

A Representative is a local contact you must appoint if you target EU/UK users from outside the region. A DPO is a privacy expert role required only in specific “larger-scale” situations. Some companies need one, some the other, some both.

Under GDPR/UK GDPR, a Representative is a person or company in the EU or UK that acts as your point of contact for regulators and data subjects when you don’t have a local establishment but offer goods/services or monitor behavior there. You generally must appoint one unless your processing is only occasional, low-risk, and not large-scale special-category data.

By contrast, a Data Protection Officer (DPO) is required when your core activities involve regular/systematic large-scale monitoring or large-scale special-category processing (or you’re a public authority). A DPO can be internal or external and must be reachable and independent. You can have a Representative and a DPO, one, or neither depending on your footprint and risk profile. Map your markets and processing first, then decide.

Highlights

  • Representative: local contact for non-EU/UK entities; publish details.

  • DPO: expert role triggered by large-scale monitoring or special-category processing.

  • You may need one, both, or neither. Your risk and geography decide.

How to apply

  1. List where you sell or where your monitor users.

  2. Classify processing and scale.

  3. If non-EU/UK and in scope → appoint a Representative.

  4. If high-risk/large-scale → appoint a DPO.

Sources

GDPR Art. 27 (Representative), Art. 37 (DPO), ICO guidance on UK representatives.

Shayne Adler
Previous

What is a “live sub-processor list”? Do we need one?
Next

The EU Data Act: What changes for cloud & SaaS switching (egress fees, timelines)?