FAQ
Got a question about GDPR or EU Representation?
The following section helps answer many of the questions you may have about appointing an EU Rep. For more information on GDPR and how non-EU companies must comply, contact us and we’ll be delighted to help.
F.A.Q.
- Why does my organisation need an EU Rep?
The GDPR is a piece of extra-territorial legislation. It applies to private organisations (including non profits) who use data relating to individuals in the EU. Therefore if you sell or market to the EU, or even merely accept orders from the EU (unless you don’t do so regularly and it occurs outside your regular course of business or activity), you are likely to require an EU Representative. See here for further guidance from the European Data Protection Board (the overall body responsible for GDPR in the EU).
- What to look out for in choosing an EU Rep?
First and foremost, make sure your EU Representative is actually based in an EU jurisdiction. There are unfortunately quite a few companies trying to offer services, via a brass plate operation whereby the operation is actually based in the UK or the US and the EU operation is little more than a PO Box address or a zombie company with no employees actually based in the EU. This is likely not to be found to be an establishment for EU purposes. Always look behind the company address to see where the decisions of the business are taken and where its data protection expertise is actually located. EU Rep is based in Ireland with its experts based in Dublin and Cork.
Secondly, be aware that an EU Representative service has limited duties and functions with regard to your compliance, so an expensive EU Representative is likely providing you with costly add-ons not required by Article 27, or alternatively is simply overpricing.
Thirdly, choose an EU Representative with legal expertise behind it. In the event that you need further assistance, particularly with litigation or Supervisory Authority regulatory action, it helps to have an EU Representative who can competently advise you.
Lastly, it makes sense to choose an EU Representative who charges only for what they do. At EU Rep we charge a cost competitive amount for the service of providing representation, but we also provide competitive rates for other work should you need us. We do not front load charges for services that you may never need.
- What happens should you not comply with the law?
The penalties for failure to comply with GDPR are HUGE. There are Administrative Fines of up to €20 million or 4% of global turnover whichever is the highest. In some jurisdictions of the EU, personal criminal liability will attach to persons such as managers, or company directors or other company officers. This can be a personal liability both for criminal fines and for imprisonment, as well as the corporate liability for the administrative fines set out above. Both the Administrative Fines and the personal criminal liability referred to above can be enforced throughout the EU, not just in the country that the Administrative Fine or personal criminal liability is imposed.
- Why comply?
Complying with GDPR shows your customers that your company is accountable and that you take their data protection seriously. Complying with Article 27 of the GDPR creates trust, enhances your company’s reputation and provides security for customer data. It also informs your business partners that your company complies with the EU’s data protection standards and it reduces risks of heavy sanctions that can reach up to €20 million or 4% of global turnover, whichever is highest or indeed personal criminal liability.
- Where is EU Rep based?
We’re based in Ireland. After BREXIT in early 2020, Ireland became the only 100% English speaking member of the EU.
- EU Rep is insured to provide the service of Article 27 EU Representative to you.
EU Rep is insured to provide our service as your Article 27 EU Representative. Our insurers are HISCOX SA, Luxembourg. Policy Number: HU PI6 9720552 (3)
- What does your Art 27 service include?
Each of the three services (E-Rep, PRO and PREMIUM) include the Article 27 service provided by EU Rep comprising holding your Article 30 record (as set out by you in the signup process), appointing us as your Article 27 EU Representative, providing you with wording to comply with your transparency obligations under Article 12, 13, and 14 with regard to the notification of EU Rep as your Article 27 Representative, and the execution of a Controller – Processor Agreement in conformity with Article 28.3. All of the above are mandatory requirements for you under the GDPR. We also provide a Certificate of Compliance with Article 27 GDPR.
Representation here in the EU costs from just €19 per month. There is a one-off sign-up fee from just €99. This covers our appointment and continuing representation for you, and also covers our forwarding any correspondence from data subjects or supervisory authorities to you, together with general advice accompanying such correspondence.
- What are the differences between your E-Rep, PRO and PREMIUM services?
Our E-Rep service is self-directed. If you are comfortable that you have sufficient knowledge of GDPR and Article 27 in particular, you can sign up to appoint us as your EU Representative without assistance. Simply fill out our questionnaire (which is part of the signup process) and this acts as your Article 30 ROPA record or upload your own drafted ROPA. We provide you with all necessary documentation and we will then be your contact point as required by EU law for EU Supervisory Authorities or individuals in the EU who wish to contact you. The Certificate of Compliance with Article 27 GDPR provided to you is generic and your company is not named on it. We do not check your ROPA as part of our E-Rep service
Our PRO service provides a review of your Article 30 ROPA record. WE WILL REVIEW your Article 30 ROPA record and provide our assistance on improving it. Simply fill out our questionnaire (which is part of the signup process) and this acts as your Article 30 ROPA record or you can upload your own drafted ROPA. After signup you can also send us any updated Article 30 ROPA by email for review. We provide you with all necessary documentation and we will then be your contact point as required by EU law for EU Supervisory Authorities or individuals in the EU who wish to contact you. As part of our continuing service, we are available to review any updated Article 30 ROPA record you may need as your processing changes over time. The Certificate of Compliance with Article 27 GDPR provided to you is tailored to your company and can refer to the company specified by you.
Our PREMIUM service provides a mini-audit after which we draft or redraft your Article 30 ROPA record for you. Simply fill out our questionnaire as best you can (which is part of the signup process) and we will contact you to arrange the mini-audit over web conference. We provide you with all necessary documentation and we will then be your contact point as required by EU law for EU Supervisory Authorities or individuals in the EU who wish to contact you. As part of our continuing service, we are available to review any updated Article 30 ROPA record you may need as your processing changes over time. The Certificate of Compliance with Article 27 GDPR provided to you is tailored to your company and can refer to the company specified by you.
- What if our Article 30 record is very bespoke or specific to our needs only?
As part of our services, we are happy for you to upload a copy of any Article 30 record that you wish us to hold for you from time to time
- What if we believe that we don't need an Article 30?
Only organisations with less than 250 employees who do not process “special category data” (including any form of health data) or data relating to criminal convictions and offences AND whose processing is unlikely to result in a risk to data subjects AND who do no more than occasional processing are exempt from the requirement that their Article 30 record be held by their EU Rep. If you believe that this applies to you, please tick the relevant box during the signup process.
- What extra services do you provide?
The Article 27 service provided by EU Rep consists of the appointment of EU Rep as your EU Representative and all contractual documentation required to make that appointment effective. We will forward all contact from data subjects or supervisory authorities onto you as received, together with general GDPR advice. From time to time however you may require us to issue correspondence on your behalf. Our cost for issuing correspondence on your behalf is €50 per item of correspondence. Should more specific advice be required, we can provide this to you costed on a per item basis according to complexity and anticipated time expenditure. In particular, we can assist you in reporting personal data breaches to Supervisory Authorities or notifying personal data breaches to affected data subjects.
- Do we need changes to other documentation?
Yes, you should update your privacy documentation to reflect the appointment of your EU Representative. In the download pack provided to you on signup sample wordings are included for you.
- Can you assist with data breaches?
Yes, we can assist you in reporting personal data breaches to Supervisory Authorities or notifying personal data breaches to affected data subjects. We can also assist you with the mandatory entry you must make in your data breach log, which you are required to do even if the data breach is not reportable or notifiable, and we can advise you generally on how to approach the data breach.
- What does 'established in the EU ' mean?
The term “establishment” is not defined, but Recital 22 of the GDPR states: “Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”
This is in accordance with CJEU case law such as Weltimmo, where the key thing is that the arrangement is stable, and that the activity is real. Thus even an EU subsidiary may not qualify as an establishment if it carries on no real activity in the EU.
Be aware also of the international tax concept of “Permanent Establishment”. Putting a base in an EU country, no matter how minor can have major tax ramifications, both as to how much tax is payable, and where that tax is payable. Businesses need to carefully consider how they might avoid the impact of having a permanent establishment in a location (so-called, ‘PE risk’).
- I am established outside the European Union - What should I do?
If you sell to, or market to EU citizens it is highly likely that you will need to appoint an EU Rep to comply with Article 27 of the GDPR. We can help for a low-cost monthly fee.
- I am established in the EU - Am I exempt?
To be “established” in the EU requires “the effective and real exercise of activity through stable arrangements”, suggesting that an actual base of operations may be required to meet this requirement. Even an EU subsidiary may not qualify as an establishment under the Weltimmo ECJ ruling if it carries on no real activity in the EU in the context of the processing of the personal data in question.
Be aware also of the international tax concept of “Permanent Establishment”. Putting a base in an EU country, no matter how minor can have major tax ramifications, both as to how much tax is payable, and where that tax is payable. Businesses need to carefully consider how they might avoid the impact of having a permanent establishment in a location (so-called, ‘PE risk’).
If you are established in the EU then the GDPR Article 27 requirement to appoint an EU Representative does not apply to your business, If you are NOT established in the EU and you target the EU market then the GDPR Article 27 requirement to appoint an EU Representative will likely apply to your business.
- Processing of Personal data - Am I exempt?
Article 2 (2)(A) provides an exclusion from GDPR where processing exclusively applies to those areas where individual EU Member States retain control, including issues of fundamental rights and national security (Recital 16). Unless you are aware of a specific exemption, it would be best to assume the relevant activities will fall within the scope of EU law.
- Local Authorities - Am I exempt?
Article 27(2)(B) Exempts public authorities and public bodies: this will include local and central government, as well as most publicly-funded institutions (education, healthcare, judiciary), but may not extend to private education and healthcare, especially where special category data (e.g. health data, data on political opinions, data on sexual orientation etc) is being processed. This is interpreted on a national basis, according to what is defined as a public authority by that country.
- What are the fees?
Representation here in the EU costs from just €19 per month. There is a one-off sign-up fee of €99. This covers our appointment and continuing representation for you, and also covers our forwarding any correspondence from data subjects or supervisory authorities to you, together with general advice accompanying such correspondence. If you require us to send correspondence to data subjects or supervisory authorities on your behalf, we charge €50 per item of correspondence.
- What payment methods do you accept?
We accept payments by either credit card or direct debit. Credit card transactions happen in near real time and your documents will be sent by email as soon as payment is made, so that you should have them within minutes of the transaction. For Direct Debit payments, these take a few days to be set up for initial transaction, and documents are sent automatically once first payment is received. Both payment methods are processed automatically by our payments provider STRIPE and processing of your order is done automatically by us on receipt of payment. We reserve the right to charge additional, reasonable, processing fees for processing direct debits.
- What if I need to change my payment details?
The good news is that it takes less than two minutes to change payment details.
- What if we have a number of companies we wish to be represented as a Group?
If you have more than one company to be represented, sign up each company separately. However, if you are signing up five or more companies, please contact us as we will provide an additional discount on signup fees for the fifth or subsequent company.
- Can our EU subsidiary or supplier be our EU Representative?
The European Data Protection Board has given a Guidance Note to the effect that the role of processor is incompatible with being an EU Representative. Therefore if your subsidiary or supplier processes ANY data on your behalf relating to EU residents, it will not be available to be a valid EU Representative for you. As a matter of practicality, even if your EU subsidiary or supplier does not use any such data, including contact details, it is still generally the case that subsidiaries and suppliers make poor EU Representatives, as their main function is usually not a compliance function, and they are usually not GDPR specialists.
Be aware also of the international tax concept of “Permanent Establishment”. Putting a base in an EU country, no matter how minor can have major tax ramifications, both as to how much tax is payable, and where that tax is payable. Businesses need to carefully consider how they might avoid the impact of having a permanent establishment in a location (so-called, ‘PE risk’). There are some exemptions for activities of an incidental, preparatory, or ancillary nature, but under the ‘anti fragmentation rule’ all activity is considered as a whole. The less duties a subsidiary undertakes on behalf of a group company, the less likely it is to constitute a PE risk.
- I am a UK based business-How does Brexit affect me?
Now that the UK has exited the EU, you are required to comply with Article 27 and appoint an Eu Representative.
Separate to the requirement to appoint an EU Representative, UK companies may be required to put procedures in place to allow them the right to transfer or access EU personal data. The EU has decided that UK data protections are “adequate”. This means that UK companies currently do not have to do anything additional to be able to continue to transfer personal data from EU to UK. The UK is considering diverging from EU GDPR standards which would place this adequacy ruling at risk.
- Why should I choose EU Rep?
We are data protection experts, lawyers and business professionals. We understand exactly what you require.
- What should I do next?
To get started here, simply click on the Appoint your Rep button below and fill in the form – it’s that simple!