Frequently Asked Questions

Do I need an EU-representative according to Art 27 GDPR?

Which companies need an EU representative?

Companies established outside the EU are required to appoint an EU representative according to Art 27 GDPR in the EU, when:

  • offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or
  • monitoring their behaviour (e.g. cookie profiling), need to appoint a representative
Are there any exemptions from the obligation to appoint an EU representative?

According to Art 27 GDPR controller or processor are exempted from the regulation, if all of the following criterions are met:

  • personal data is only processed occasionally,

  • the processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences, and

  • the processing is unlikely to result in a risk to the rights and freedoms of data subjects.

What are the responsibilities of representatives?

The representative shall act as a middleman between authorities and data subjects on the one hand and the processor and controller outside the EU on the other hand. The representative needs to be mandated by the controller or processor in writing to be addressed by supervisory authorities and data subjects on all privacy issues. Furthermore the representative shall according to Art 30 GDPR maintain the records of processing activities and shall make the record available to the supervisory authority on request.

What fine may be imposed for non-compliance?

The GDPR extends its ‘territorial scope’ to controllers and processors having their registered office in a country outside of the EU. As a result, the exorbitant high penalties of up to EUR 10 Mio or 2% of the worldwide annual turnover apply, if a processor or a controller does not comply with the obligation of appointing a EU representative. The penalties may be enforcement by individual claims or by authorities.

How can help me/my business?

Who is is a service provided by iuro attorney at law I Dr. Andreas Mätzler, a law firm qualified in the European Union, located in Vienna. iuro is specialized i.a. on data protection law and acting as Data Protection Officer and Representative for customers all over the world. The service was developed and is further enhanced by a team of lawyers, IT-security specialists and software developers.

What are the services? has automated the role of a representative and offers a representation complying with Art 27 GDPR as a SaaS-solution. The basic service of contains:

  • an individual privacy landing page with a contact form for data subjects and authorities

  • unlimited forwarding of electronic requests from data subjects

  • unlimited forwarding of postal messages from data subjects

  • unlimited forwarding of requests from supervisory authorities

  • Individual bespoke legal services, especially answering request by data subjects or authorities, advisory or consulting services are not included in the SaaS-Solution but offered separately by iuro.

How can I appoint GDPR-Rep as my representative?

What is the process of appointing as EU-representative?

What is the process of appointing as EU-representative?

  1. Choose the subscription that fits the size of your company – start-ups, micros, small enterprises, medium-sized enterprises or large enterprises. The categories are based on the common European classification of companies by the number of employees.

  2. Fill the registration form and choose a payment method. Please note that the default payment method is credit card. Would you like to pay via bank transfer please contact us [link zum Kontaktformular].

  3. After the registration you find a download button for the Power of Attorney (PoA). A written PoA is required to evidence the appointment of as your representative in case of requests by data protection authorities. We kindly ask you to sign and upload your PoA.

  4. Our back-office team will check and verify the provided information on your company and the PoA. This is usually done within minutes, but can take up to one business day in case of a high number of requests.

  5. After approving the PoA you can login to your dashboard where you can find the information you may include in your homepage and privacy policy to get started.

How does verify the existence of my company?

Our verification and identification process is based on a so called “penny transfer”. We ask you to provide your company’s credit card details and charge you EUR 1. If this transfer is successful we rely on the Know-Your-Customer check of your bank.

What are my payment options?

You can choose between monthly, quarterly and yearly payment. For quarterly payment we give you a discount and even more discount we grant for yearly payment. Please note that your options to terminate the subscription depend on the chosen payment period.

Furthermore you can choose between paying with credit card or via bank transfer. As we use penny transfer for our identification process, the onboarding may take up to three days, if you choose bank transfer.

We are a group of companies. Do you offer special options fo us?

Every separate entity requires representation according to Art 27 GDPR. Nevertheless, we offer you in the "medium enterprise-package" and in the "large enterprise-package" the option to sign up for a group package to manage the representation of your affiliates through one main account with sub-accounts for every affiliate. In the "medium enterprise-package" up to 5 entities are included and in the "large enterprise-package" unlimited entities. The requirement for this option of a cheap and efficient way to manage your representation in a group of companies is that all included group entities operate in the same industry offer the same range of products and have the same or a linked brand.

How can I manage the representation?

What happens to incoming requests? filters request according to formal criteria. Requests which have no obvious formal deficiencies are forwarded to the address you specified. Request with formal deficiencies are answered automatically with an invitation to remedy.

Does offer help with answering requests? is an automated SaaS-solution provided by iuro attorney at law I Dr. Andreas Mätzler. iuro would be pleased to assist you in answering requests as individual bespoke legal service.

Is one of my processors and where can I find the data processing agreement?

In case individuals contact with requests addressed to you, is processing personal data for you. The data processing agreement for this type of processing is attached to your Engagement Letter.

How can I be notified for incoming requests?

In the upper right corner, you find a tab you manage your account. There is a section “notification” where you can easily add and remove addresses for request forwards.


Why does a reminder pop up to upload the records of processing activities?

According to Art 30 GDPR data protection authorities may request as your representative to provide your records of processing activities. To present the records of processing activities on your behalf to data protection authorities it is essential that you provide us with the necessary GDPR documentation and especially the record of processing activities.

Where can I find my invoices?

Your invoices are listed in your account details (Submenu "Billing").

How can I manage more than one business?

Each of your companies has one account - conveniently managed through your main account. Billing can either be centralized through your main account, or each company is billed on its own.

How can I customize my privacy landing page?

The privacy landing page we offer you is your window to European data subjects. Therefore we enable you can brand it with your logo. To do so, log in and go to "Manage privacy landing page". There you can upload your logo and preview and test your privacy landing page.