Frequently Asked Questions about GDPR & EU Representation.

The GDPR is a piece of extra-territorial legislation. It applies to private organisations (including non-profits) who use data relating to individuals in the EU. Therefore, if you sell or market to the EU, or even merely accept orders from the EU (unless you don’t do so regularly and it occurs outside your regular course of business or activity), you are likely to require an EU Representative. See guidance from the European Data Protection Board for further clarification.

First and foremost, make sure your EU Representative is actually based in an EU jurisdiction. Some companies operate via brass plate arrangements, where the real operation is outside the EU and the EU presence is merely a PO Box or inactive entity. This may not qualify as a valid establishment. Always verify where decisions are made and where data protection expertise is located.

Secondly, remember that the EU Representative role has limited duties under Article 27. Expensive services may include unnecessary add-ons or be overpriced.

Thirdly, choose a Representative with legal expertise. If litigation or regulatory action arises, competent legal support is essential.

Lastly, select a provider who charges transparently for actual services delivered rather than front-loading unnecessary costs.

Penalties for non-compliance with GDPR are significant. Administrative fines can reach up to €20 million or 4% of global turnover (whichever is higher). In some EU jurisdictions, personal criminal liability may apply to managers, directors, or company officers, including fines and imprisonment. These penalties can be enforced throughout the EU.

Compliance demonstrates accountability and commitment to data protection. It builds trust, enhances reputation, reassures business partners, and significantly reduces the risk of severe sanctions or personal liability.

EU Rep is based in Ireland. Following Brexit, Ireland became the only fully English-speaking EU Member State. EU Rep is insured to provide Article 27 representation services.

All services include:
• Appointment as your Article 27 EU Representative
• Holding your Article 30 ROPA record
• Required transparency wording (Articles 12, 13, 14)
• Controller–Processor Agreement compliant with Article 28(3)
• Certificate of Compliance with Article 27

Representation starts from €19 per month, with a one-off signup fee from €99. Correspondence forwarding and general advice are included.

E-Rep: Self-directed service. You submit or upload your Article 30 ROPA. No review included. Generic certificate issued.

PRO: Includes review of your Article 30 ROPA and ongoing review of updates. Tailored certificate issued.

PREMIUM: Includes mini-audit and drafting/redrafting of your Article 30 ROPA. Ongoing review included. Tailored certificate issued.

You may upload any bespoke Article 30 record for us to hold on your behalf.

Organisations with fewer than 250 employees that do not process special category or criminal data, do not pose risk to data subjects, and process only occasionally may qualify for exemption. Confirm during signup if applicable.

We forward correspondence from data subjects or supervisory authorities and provide general advice. Issuing correspondence on your behalf costs €50 per item. We also assist with personal data breach reporting and notifications.

Yes. Your privacy documentation must reflect the appointment of your EU Representative. Sample wording is provided upon signup.

Yes. We assist with breach reporting to Supervisory Authorities, notifications to affected individuals, mandatory breach log entries, and general breach management advice.

“Establishment” implies real and effective activity through stable arrangements. Legal form is not decisive. Even an EU subsidiary may not qualify if it performs no real activity. Be mindful of potential tax implications related to Permanent Establishment (PE risk).

If you sell or market to EU residents, you likely need to appoint an EU Representative under Article 27.

If genuinely established in the EU through real and stable activity, Article 27 does not apply. If not established and targeting the EU market, appointment of an EU Representative will likely be required.

Article 2(2)(a) excludes certain national security and state activities. Unless clearly exempt, assume GDPR applies.

Public authorities and public bodies are exempt under Article 27(2)(b). Interpretation depends on national definitions.

Representation costs from €19 per month with a €99 signup fee. Correspondence issued on your behalf is €50 per item.

Payments accepted via credit card or direct debit. Credit card payments process immediately. Direct debit setup may take several days.

Payment details can be updated quickly, typically within two minutes.

Each company must sign up separately. Discounts may apply for five or more companies.

If your subsidiary or supplier processes EU data on your behalf, it cannot act as your EU Representative. Additionally, subsidiaries may create Permanent Establishment tax risks.

Post-Brexit, UK businesses targeting the EU must appoint an EU Representative. The EU currently recognises UK data protection as adequate, but divergence may affect this status.

We are experienced data protection experts, lawyers, and business professionals who understand your compliance requirements.

Click the signup link, complete the form, and appoint your EU Representative quickly and easily.