Guides

Do Indian SaaS companies need an EU representative?

Not always. GDPR Article 27 requires a representative when Article 3(2) applies, unless your processing is only occasional, is unlikely to risk people’s rights and freedoms, and does not involve large-scale special-category or criminal-offence data.

Best fit

Founders and privacy owners deciding whether Article 27 applies

Last updated: 2026-03-14

What the law says

Article 27 says a controller or processor that falls under Article 3(2) must designate a representative in writing in the Union. The representative must be established in one of the Member States where the affected data subjects are located.

The EDPB territorial-scope guidance treats Article 27 as part of the same non-EU targeting analysis. The key first question is not 'Are we outside the EU?' but 'Does Article 3(2) apply to what we are doing?'

When the exception may apply

Article 27(2) creates a narrow exception. The obligation does not apply if the processing is occasional, unlikely to create risk to people’s rights and freedoms, and does not include large-scale special-category data or criminal-offence data.

That means many SaaS teams should not assume the exception automatically fits. Ongoing product usage, recurring support processing, or a steady EU sales motion can make the 'occasional' argument hard to defend.

A practical founder checklist

These questions usually decide whether you need a deeper Article 27 review.

  • Do you actively offer goods or services to people in the EU?
  • Do you monitor behaviour in the EU, for example through tracking tied to user behaviour?
  • Is the EU-facing processing ongoing rather than occasional?
  • Do you process special-category data or other sensitive data at scale?
  • If a representative is needed, which Member State best matches where your EU data subjects are?

Product context

See how the annual plan supports procurement responses once your Article 27 position is clear. Review annual pricing for buyer readiness.

Related guide

Continue with GDPR for Indian SaaS: what EU customers actually ask for.

Sources

Official GDPR text on EUR-Lex

Official GDPR text, especially Articles 3 and 27.

Open source

EDPB Guidelines 3/2018 on territorial scope

Official EDPB guidance on non-EU targeting and representatives.

Open source

Next step

Use the guide as the baseline, then generate your own pack when you are ready to replace examples with your actual company, product, and vendor details.

Start Free