Got a question about GDPR or EU Representation?
The following section helps answer many of the questions you may have about appointing an EU Rep. For more information on GDPR and how non-EU companies must comply, contact us and we’ll be delighted to help.
- Why does my organisation need an EU Rep?
The GDPR is a piece of extra-territorial legislation. It applies to private organisations (including non profits) who use data relating to individuals in the EU. Therefore if you sell or market to the EU, or even merely accept orders from the EU (unless you don’t do so regularly and it occurs outside your regular course of business or activity), you are likely to require an EU Representative. See here for further guidance from the European Data Protection Board
- What to look out for in choosing an EU Rep?
First and foremost, make sure your EU Representative is actually based in an EU jurisdiction. There are unfortunately quite a few companies trying to offer services, via a brass plate operation whereby the operation is actually based in the UK or the US and the EU operation is little more than a PO Box address or a zombie company with no employees actually based in the EU. This is likely not to be found to be an establishment for EU purposes. Always look behind the company address to see where the decisions of the business are taken and where its data protection expertise is actually located. EU Rep is based in Ireland with its experts based in Dublin and Cork.
Secondly, be aware that an EU Representative service has limited duties and functions with regard to your compliance, so an expensive EU Representative is likely providing you with expensive add-ons not required by Article 27, or alternatively is simply overpricing.
Thirdly, choose an EU Representative with legal expertise behind it. In the event that you need further assistance, particularly with litigation or Supervisory Authority regulatory action, it helps to have an EU Representative who can competently advise you.
Lastly, it makes sense to choose an EU Representative who charges only for what they do. At EU Rep we charge a cost competitive amount for the service of providing representation, but we also provide competitive rates for other work should you need us. We do not front load charges for services that you may never need.
- What happens should you not comply with the law?
The penalties for failure to comply with GDPR are HUGE. There are Administrative Fines of up to €20 million or 4% of global turnover whichever is the highest. In some jurisdictions of the EU, personal criminal liability will attach to persons such as managers, or company directors or other company officers. This can be a personal liability both for criminal fines and for imprisonment, as well as the corporate liability for the administrative fines set out above. Both the Administrative Fines and the personal criminal liability referred to above can be enforced throughout the EU, not just in the country that the Administrative Fine or personal criminal liability is imposed.
- Why comply?
Complying with GDPR shows your customers that your company is accountable and that you take their data protection seriously. Complying with Article 27 of the GDPR creates trust, enhances your company’s reputation and provides security for customer data. It also informs your business partners that your company complies with the EU’s data protection standards and it reduces risks of heavy sanctions that can reach up to €20 million or 4% of global turnover, whichever is highest or indeed personal criminal liability.
- Where is EU Rep based?
We’re based in Ireland. After BREXIT in early 2020, Ireland became the only 100% English speaking member of the EU.
- EU Rep is insured to provide the service of Article 27 EU Representative to you.
EU Rep is insured to provide our service as your Article 27 EU Representative. Our insurers are HISCOX SA, Luxembourg. Policy Number: HU PI6 9720552 (3)
- What does your Art 27 service include?
Each of the three services (E-Rep, PRO and PREMIUM) include the Article 27 service provided by EU Rep comprising holding your Article 30 record (as set out by you in the signup process), appointing us as your Article 27 EU Representative, providing you with wording to comply with your transparency obligations under Article 12, 13, and 14 with regard to the notification of EU Rep as your Article 27 Representative, and the execution of a Controller – Processor Agreement in conformity with Article 28.3. All of the above are mandatory requirements for you under the GDPR. We also provide a Certificate of Compliance with Article 27 GDPR.
Representation here in the EU costs from just €19 per month. There is a one-off sign-up fee from just €99. This covers our appointment and continuing representation for you, and also covers our forwarding any correspondence from data subjects or supervisory authorities to you, together with general advice accompanying such correspondence.
- What are the differences between your E-Rep, PRO and PREMIUM services?
Our E-Rep service is self-directed. If you are comfortable that you have sufficient knowledge of GDPR and Article 27 in particular, you can sign up to appoint us as your EU Representative without assistance. Simply fill out our questionnaire (which is part of the signup process) and this acts as your Article 30 ROPA record. We provide you with all necessary documentation and we will then be your contact point as required by EU law for EU Supervisory Authorities or individuals in the EU who wish to contact you. The Certificate of Compliance with Article 27 GDPR provided to you is generic and your company is not named on it.
Our PRO service provides a review of your Article 30 ROPA record. If you are not comfortable that you have sufficient knowledge of GDPR and Article 27 we will review your Article 30 ROPA record and provide our assistance on improving it. Simply fill out our questionnaire (which is part of the signup process) and this acts as your Article 30 ROPA record. After signup you can also send us your own drafted Article 30 ROPA by email for review. We provide you with all necessary documentation and we will then be your contact point as required by EU law for EU Supervisory Authorities or individuals in the EU who wish to contact you. As part of our continuing service, we are available to review any updated Article 30 ROPA record you may need as your processing changes over time. The Certificate of Compliance with Article 27 GDPR provided to you is tailored to your company and can refer to the company specified by you.
Our PREMIUM service provides a mini-audit after which we draft or redraft your Article 30 ROPA record for you. Simply fill out our questionnaire as best you can (which is part of the signup process) and we will contact you to arrange the mini-audit over web conference. We provide you with all necessary documentation and we will then be your contact point as required by EU law for EU Supervisory Authorities or individuals in the EU who wish to contact you. As part of our continuing service, we are available to review any updated Article 30 ROPA record you may need as your processing changes over time. The Certificate of Compliance with Article 27 GDPR provided to you is tailored to your company and can refer to the company specified by you.
- What if our Article 30 record is very bespoke or specific to our needs only?
As part of our PRO and PREMIUM services, we are happy for you to upload or e-mail us a copy of any additional Article 30 record that you wish us to hold for you from time to time
- What extra services do you provide?
The Article 27 service provided by EU Rep consists of the appointment of EU Rep as your EU Representative and all contractual documentation required to make that appointment effective. We will forward all contact from data subjects or supervisory authorities onto you as received, together with general GDPR advice. From time to time however you may require us to issue correspondence on your behalf. Our cost for issuing correspondence on your behalf is €50 per item of correspondence. Should more specific advice be required, we can provide this to you costed on a per item basis according to complexity and anticipated time expenditure. In particular, we can assist you in reporting personal data breaches to Supervisory Authorities or notifying personal data breaches to affected data subjects.
- Do we need changes to other documentation?
Yes, you should update your privacy documentation to reflect the appointment of your EU Representative. In the download pack provided to you on signup sample wordings are included for you.
- Can you assist with data breaches?
Yes, we can assist you in reporting personal data breaches to Supervisory Authorities or notifying personal data breaches to affected data subjects. We can also assist you with the mandatory entry you must make in your data breach log, which you are required to do even if the data breach is not reportable or notifiable, and we can advise you generally on how to approach the data breach.
- What does 'established in the EU ' mean?
The term “establishment” is not defined, but Recital 22 of the GDPR states: “Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”
This is in accordance with CJEU case law such as Weltimmo, where the key thing is that the arrangement is stable, and that the activity is real. Thus even an EU subsidiary may not qualify as an establishment if it carries on no real activity in the EU.
- I am established outside the European Union - What should I do?
If you sell to, or market to EU citizens it is highly likely that you will need to appoint an EU Rep to comply with Article 27 of the GDPR. We can help for a low-cost monthly fee.
- I am established in the EU - Am I exempt?
To be “established” in the EU requires “the effective and real exercise of activity through stable arrangements”, suggesting that an actual base of operations may be required to meet this requirement. Even an EU subsidiary may not qualify as an establishment under the Weltimmo ECJ ruling if it carries on no real activity in the EU in the context of the processing of the personal data in question.
If you are established in the EU then the GDPR Article 27 requirement to appoint an EU Representative does not apply to your business, If you are NOT established in the EU and you target the EU market then the GDPR Article 27 requirement to appoint an EU Representative will likely apply to your business.
- Processing of Personal data - Am I exempt?
Article 2 (2)(A) outside the scope of EU law – Is the processing of personal data undertaken in the course of an activity which falls outside the scope of EU law? This exclusion applies to those areas where individual EU Member States retain control, including issues of fundamental rights and national security (Recital 16). Unless you are aware of a specific exemption, it would be best to assume the relevant activities will fall within the scope of EU law.
- Local Authorities - Am I exempt?
Article 27(2)(B) Exempts public authorities and public bodies: this will include local and central government, as well as most publicly-funded institutions (education, healthcare, judiciary), but may not extend to private education and healthcare, especially where special category data (e.g. medical, religion etc) is being processed. This is interpreted on a national basis, according to what is defined as a public authority by that country.
- What are the fees?
Representation here in the EU costs just €19 per month. There is a one-off sign-up fee of €99. This covers our appointment and continuing representation for you, and also covers our forwarding any correspondence from data subjects or supervisory authorities to you, together with general advice accompanying such correspondence. If you require us to send correspondence to data subjects or supervisory authorities on your behalf, we charge €50 per item of correspondence.
- What payment methods do you accept?
We accept payments by either credit card or direct debit. Credit card transactions happen in near real time and your documents will be sent by email as soon as payment is made, so that you should have them within minutes of the transaction. For Direct Debit payments, these take a few days to be set up for initial transaction, and documents are sent automatically once first payment is received. Both payment methods are processed automatically by our payments provider STRIPE and processing of your order is done automatically by us on receipt of payment. If documents are immediately needed, but your organisation wishes to pay by Direct Debit generally, some organisations have signed up by credit card and then switched once the initial transaction is completed in near real time, and that way have both their documents in near real time and their preferred payment method set up for future payments.
- What if I need to change my payment details?
The good news is that it takes less than two minutes to change payment details.
- What if we have a number of companies we wish to be represented as a Group?
If you have more than one company to be represented, sign up each company separately. However, if you are signing up five or more companies, please contact us as we will provide an additional discount on signup fees for the fifth or subsequent company.
- Can our EU subsidiary or supplier be our EU Representative?
The European Data Protection Board has given a Guidance Note to the effect that the role of processor is incompatible with being an EU Representative. Therefore if your subsidiary or supplier processes ANY data on your behalf relating to EU residents, it will not be available to be a valid EU Representative for you. As a matter of practicality, even if your EU subsidiary or supplier does not use any such data, including contact details, it is still generally the case that subsidiaries and suppliers make poor EU Representatives, as their main function is usually not a compliance function, and they are usually not GDPR specialists.
- I am a UK based business-How does Brexit affect me?
Now that the UK has exited the EU, you will be required comply with Article 27 and appoint an Eu Representative.
Separate to the requirement to appoint an EU Representative, UK companies will be required to put procedures in place to allow them the right to transfer or access EU personal data. Temporarily, there are transitional arrangements in place to allow for the transfer of EU personal data to the UK up to the end of April 2021, this will be extended to the end of June 2021 if neither side objects. After June 2021 you will be required to have measures in place to legitimise the transfer of personal data from the EU. The most likely solution for you will be the use of Standard Contractual Clause (Model Clause) Agreements (but since the European Court of Justice case of SchremsII, you will have to assess the circumstances of each transfer to ensure compliance) and you may also require to put in place Controller – Processor Agreements with your Processors (if you are a Controller) or your Controllers may require to put in place Controller – Processor Agreements with you (if you are a Processor). You will also be required to ensure that your processing is in conformity with GDPR. We can assist you with this through audits and remediation of your processes and policies. You should have this in place prior to the end of June 2021 as there will be no more grace periods, unless a new agreement is negotiated, or the EU awards “adequacy” to the UK, both of which are far from certain.
- Why should I choose EU Rep?
We are data protection experts, lawyers and business professionals. We understand exactly what you require.
- What should I do next?
To get started here, simply click on the Appoint your Rep page and fill in the form – it’s that simple!