Got a question about GDPR or EU Representation?
The following section helps answer many of the questions you may have about appointing an EU Rep. For more information on GDPR and how non-EU companies must comply, contact us and we’ll be delighted to help.
- What to look out for in choosing an EU Rep?
First and foremost, make sure your EU Representative is actually based in an EU jurisdiction. There are unfortunately quite a few companies trying to offer services, via a brass plate operation whereby the operation is actually based in the UK or the US and the EU operation is little more than a PO Box address or a zombie company with no employees actually based in the EU. This is likely not to be found to be an establishment for EU purposes. Always look behind the company address to see where the decisions of the business are taken and where its data protection expertise is actually located. EU Rep is based in Ireland with its experts based in Dublin and Cork.
Secondly, be aware that an EU Representative service has limited duties and functions with regard to your compliance, so an expensive EU Representative is likely providing you with expensive add-ons not required by Article 27, or alternatively is simply overpricing.
Thirdly, choose an EU Representative with legal expertise behind it. In the event that you need further assistance, particularly with litigation or Supervisory Authority regulatory action, it helps to have an EU Representative who can competently advise you.
Lastly, it makes sense to choose an EU Representative who charges only for what they do. At EU Rep we charge a cost competitive amount for the service of providing representation, but we also provide competitive rates for other work should you need us. We do not front load charges for services that you may never need.
- What happens should you not comply with the law?
The penalties for failure to comply with GDPR are HUGE. There are Administrative Fines of up to €20 million or 4% of global turnover whichever is the highest. In some jurisdictions of the EU, personal criminal liability will attach to persons such as managers, or company directors or other company officers. This can be a personal liability both for criminal fines and for imprisonment, as well as the corporate liability for the administrative fines set out above. Both the Administrative Fines and the personal criminal liability referred to above can be enforced throughout the EU, not just in the country that the Administrative Fine or personal criminal liability is imposed.
- Why comply?
Complying with GDPR shows your customers that your company is accountable and that you take their data protection seriously. Complying with Article 27 of the GDPR creates trust, enhances your company’s reputation and provides security for customer data. It also informs your business partners that your company complies with the EU’s data protection standards and it reduces risks of heavy sanctions that can reach up to €20 million or 4% of global turnover, whichever is highest or indeed personal criminal liability.
- Where is EU Rep based?
We’re based in Ireland. After BREXIT in early 2020, Ireland became the only 100% English speaking member of the EU.
- EU Rep is insured to provide the service of Article 27 EU Representative to you.
EU Rep is insured to provide our service as your Article 27 EU Representative. Our insurers are HISCOX SA, Luxembourg. Policy Number: HU PI6 9720552 (3)
- What does your service include?
The Article 27 service provided by EU Rep comprises holding your Article 30 record (as set out by you in the signup process), appointing us as your Article 27 EU Representative, providing you with wording to comply with your transparency obligations under Article 12, 13, and 14 with regard to the notification of EU Rep as your Article 27 Representative, and the execution of a Controller – Processor Agreement in conformity with Article 28.3. All of the above are mandatory requirements for you under the GDPR.
Representation here in the EU costs just €19 per month. There is a one-off sign-up fee of €99. This covers our appointment and continuing representation for you, and also covers our forwarding any correspondence from data subjects or supervisory authorities to you, together with general advice accompanying such correspondence.
- What extra services do you provide?
The Article 27 service provided by EU Rep consists of the appointment of EU Rep as your EU Representative and all contractual documentation required to make that appointment effective. We will forward all contact from data subjects or supervisory authorities onto you as received, together with general GDPR advice. From time to time however you may require us to issue correspondence on your behalf. Our cost for issuing correspondence on your behalf is €50 per item of correspondence. Should more specific advice be required, we can provide this to you costed on a per item basis according to complexity and anticipated time expenditure. In particular, we can assist you in reporting personal data breaches to Supervisory Authorities or notifying personal data breaches to affected data subjects.
- Can you assist with data breaches?
Yes, we can assist you in reporting personal data breaches to Supervisory Authorities or notifying personal data breaches to affected data subjects. We can also assist you with the mandatory entry you must make in your data breach log, which you are required to do even if the data breach is not reportable or notifiable, and we can advise you generally on how to approach the data breach.
- What does 'established in the EU ' mean?
The term “establishment” is not defined, but Recital 22 of the GDPR states: “Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”
This is in accordance with CJEU case law such as Weltimmo, where the key thing is that the arrangement is stable, and that the activity is real. Thus even an EU subsidiary may not qualify as an establishment if it carries on no real activity in the EU.
- I am established outside the European Union - What should I do?
If you sell to, or market to EU citizens it is highly likely that you will need to appoint an EU Rep to comply with Article 27 of the GDPR. We can help for a low-cost monthly fee.
- I am established in the EU - Am I exempt?
To be “established” in the EU requires “the effective and real exercise of activity through stable arrangements”, suggesting that an actual base of operations may be required to meet this requirement. Even an EU subsidiary may not qualify as an establishment under the Weltimmo ECJ ruling if it carries on no real activity in the EU in the context of the processing of the personal data in question.
If you are established in the EU then the GDPR Article 27 requirement to appoint an EU Representative does not apply to your business, If you are NOT established in the EU and you target the EU market then the GDPR Article 27 requirement to appoint an EU Representative will likely apply to your business.
- Processing of Personal data - Am I exempt?
Article 2 (2)(A) outside the scope of EU law – Is the processing of personal data undertaken in the course of an activity which falls outside the scope of EU law? This exclusion applies to those areas where individual EU Member States retain control, including issues of fundamental rights and national security (Recital 16). Unless you are aware of a specific exemption, it would be best to assume the relevant activities will fall within the scope of EU law. If you answered YES – Article 27 does not apply to your business, If you answered NO – Article 27 may apply to your business.
- Local Authorities - Am I exempt?
Article 27(2)(B) Looks at whether you are a Public Authority: this will include local and central government, as well as most publicly-funded institutions (education, healthcare, judiciary), but may not extend to private education and healthcare, especially where sensitive data (e.g. medical, religion etc) is being processed. It is not clear whether this could be interpreted on a national basis, according to what is defined as a public authority by that country. If you answered YES – Article 27 does not apply to your business, if you answered NO – Article 27 may apply to your business, please continue to next question.
- What are the fees?
Representation here in the EU costs just €19 per month. There is a one-off sign-up fee of €99. This covers our appointment and continuing representation for you, and also covers our forwarding any correspondence from data subjects or supervisory authorities to you, together with general advice accompanying such correspondence. If you require us to send correspondence to data subjects or supervisory authorities on your behalf, we charge €50 per item of correspondence.
- How would Brexit affect me?
In the event of a no – deal Brexit, or possibly even in the event of a limited deal, you will require to take steps to legitimise the transfer of personal data from the EU. The most likely solution for you will be the use of Standard Contractual Clause (Model Clause) Agreements (but since the case of SchremsII, you will have to assess the circumstances of each transfer to ensure compliance) and you may also require to put in place Controller – Processor Agreements with your Processors (if you are a Controller) or your Controllers may require to put in place Controller – Processor Agreements with you (if you are a Processor). You will also require your processing to be in conformity with GDPR. We can assist you with this through audits and remediation of your processes and policies.
- Why should I choose EU Rep?
We are data protection experts, lawyers and business professionals. We understand exactly what you require.
- What should I do next?
To get started here, simply click on the Appoint your Rep page and fill in the form – it’s that simple!