FAQ
Frequently asked questions
Straight answers to the questions that come up most before someone signs a mandate agreement.
GDPR Article 27 requires most companies based outside the EU that sell to EU customers to appoint a representative established in the EU. That representative is a real point of contact — regulators and individuals can address data protection matters to them directly, instead of only to the company itself. It's a legal appointment, not a marketing service.
If your business is based outside the EU and offers goods or services to people in the EU — including standard e-commerce shipping — Article 27 generally applies to you. Non-compliance can carry fines of up to €10M or 2% of global annual turnover. If you're not sure whether it applies to your specific business, a quick compliance check can confirm it.
No. Article 27 requires genuine establishment in the EU — a real, addressable point of contact who can be reached by regulators and data subjects. A US-based employee, a virtual mailbox, or a forwarding address doesn't meet that requirement, even if the address is technically located in the EU.
No. Shopify, BigCommerce, and similar platforms include a privacy policy template with a blank field for your EU representative's contact details — but they don't supply the representative. That field has to be filled in by an actual appointed person or firm, which is what Repline27 provides.
A Data Protection Officer (DPO) advises a company internally on its own data-handling practices and compliance. An Article 27 representative is a separate, external role — a standing point of contact in the EU for regulators and data subjects to reach. Repline27 provides the representative role only; we don't offer DPO services.
Yes, if you ship to UK customers. UK GDPR is a separate law from the EU GDPR, with its own representative requirement — an EU representative does not cover UK obligations, or vice versa. Repline27 covers the UK as a separate add-on through a partner representative.
The representative appointment itself moves quickly — the mandate agreement and privacy policy update are typically complete within the first week, so you're covered early. VAT/OSS registration and CE/UKCA marking, if applicable, take longer and run in parallel, but they don't delay when your Article 27 coverage starts.
The annual retainer (from €89/month, priced by company revenue) covers Repline27 remaining listed as your standing EU representative with regulators and customers, and forwarding any GDPR request or regulatory inquiry to you within 24 hours — so you have the full 30-day legal window to respond. Coverage is identical at every pricing tier — only the price scales with company size. You remain responsible for the substance of any response — the fee covers receiving and relaying, not answering on your behalf.
Canceling stops the annual retainer at renewal — Repline27 will no longer serve as your appointed EU representative once the coverage period ends, so you'd need to name a new representative before then to remain compliant. Contact us directly to arrange the specific timing of a cancellation.