Frequently Asked Questions
Does my company need an EU-representative according to Art 27 GDPR?
Companies established outside the EU are required to appoint an EU representative according to Art 27 GDPR in the EU if they:
offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or
monitor their behaviour (e.g. cookie profiling).
According to the Guideline 3/2018 of the European Data Protection Board (EDPB) on the territorial scope of GDPR this applies on controllers and processors as well. For processors not established in the Union the applicability of GDPR depends on what the “processing activities” are “related to”. If the data processing conducted for the controller is "related" to the offering of goods and services or the monitoring of behaviour, the GDPR applies to the processor in addition to the controller.
According to Art 27 GDPR, controllers or processors are exempted from the regulation if ALL of the following criteria are met:
personal data is only processed occasionally, which is only from time to time and non systematic; AND
data processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences; AND
data processing is unlikely to result in a risk to the rights and freedoms of data subjects.
It is hard to meet ALL of these criteria. Especially the criterion of processing data only occasionally is a big hurdle in practice.
Your company's intention to establish commercial relations with EU customers needs to have manifested in a business activity. The mere accessibility of a website in the EU, the mention on the website of an e-mail or geographical address, or of a telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the intention to offer goods or services to EU customers. The EDPB listed the factors to be taken into account when assessing, if goods and services are offered in its Guideline 3/2018 on the territorial scope of GDPR. Some of the factors are:
- using languages of EU Member States or offering payments in a currency of an EU Member State;
- using google or facebook ads to address the EU market or any other marketing activity directed to EU customers;
- mentioning EU references or testimonials;
- the international nature of the activity at issue, such as certain tourist activities;
- mentioning dedicated addresses or phone numbers to be reached from an EU country;
- using of EU top-level domains;
- the description of travel instructions from one or more other EU Member States to the place
where the service is provided;
- offering the delivery of goods in EU Member States;
In a nutshell, if your company has any outbound activity in the EU or if your company enables or guides EU customers to find your company's offer, GDPR is likely to apply.
Not any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. Monitoring the behaviour of EU data subjects implies an intention to collect data for a specific purpose. Therefore, any kind of the tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques qualifies as "monitoring". Again the EDPB gives some more guidance in the Guidelines 03/2018. According to the EDPB monitoring may not only take place in the internet but also through wearables and other smart devices. Monitoring activties include:
- Behavioural advertisement
- Geo-localisation activities, in particular for marketing purposes
- Personalised diet and health analytics services online
- Market surveys and other behavioural studies based on individual profiles
- Monitoring or regular reporting on an individual’s health status
The GDPR extends its ‘territorial scope’ to controllers and processors having their registered office in a country outside of the EU. As a result, the exorbitantly high penalties of up to EUR 10 Mio or 2% of the worldwide annual turnover apply, if a processor or a controller does not comply with the obligation of appointing an EU representative. The penalties may be enforced by individual claims or by authorities. Furthermore your partners in the EU may be obliged to stop transfering data to your company.
What to look for in an Art 27 representative?
There are two big myths about the best location of a representative:
- you need a representative in every EU Member State; and
- the location of the representative determines which data protection authority is the lead supervisory authority.
These are myths and therefore wrong. The EDPB clarifies in its Guideline 03/2018 on the territorial scope that only one representative needs to be appointed which can then act in all other member states and that the concept of a lead supervisory authority does not apply in case of non-EU companies.
The representative shall act as a middleman between authorities and data subjects on the one hand and the processor and controller outside the EU on the other hand. The representative needs to be mandated by the controller or processor in writing to be addressed by supervisory authorities and data subjects on all privacy issues. Furthermore, the representative shall according to Art 30 GDPR maintain the records of processing activities and shall make the record available to the supervisory authority on request.
Our goal is to enable non-European companies to comply with GDPR by a combination of legal expertise and technology to deliver this expertise. The practical insights we gain as a law firm due to our role as appointed Data Protection Officer (DPO) for major banks, financial service providers, tech companies,... we put into the development of our tools such as a Data Subject Access Request (DSAR), a tool for the records of processing activities or the automation of the role of a representative. We support you in all privacy related matters and above all in helping your business grow by enabling you to improve customers' trust and handling privacy matters in a efficient and professional way.
GDPR-Rep.eu offers representation as a service complying with Art 27 GDPR. The basic service of GDPR-Rep.eu contains:
- Art. 27 GDPR compliant representative located in Europe acting as a one-stop-shop in all EU-Member States;
- privacy landing page for Clients, which can be individualized with the Client’s logo;
- a DSAR management tool to structure privacy requests and handle these from a formal point of view, including a request management workflow;
- unlimited forwarding of electronic requests from data subjects;
- unlimited forwarding of postal messages from data subjects;
- unlimited forwarding of requests from supervisory authorities;
- a company login for a dashboard to manage all privacy requests and the subscription;
- certificate for appointing GDPR-Rep.eu as the client’s representative, which the client can include in its website.
- Individual bespoke legal services, especially answering requests by data subjects or authorities. Advisory or consulting services are not included in the SaaS solution but offered separately by iuro.
GDPR-Rep.eu, provided by Maetzler Rechtsanwalts GmbH & Co KG is under supervision of the Vienna Bar Association (national supervisory authority) and complies with the Austrian bar rules (RAO, RL-BA) on IT security and data privacy compliance. Maetzler Rechtsanwalts GmbH & Co KG is bound by applicable rules of professional secrecy with regard to the contents of the consultation and data obtained and processed in relation to Art 27 representation. Critical communication infrastructure components are operated by a service provider approved by the Austria bar association. They are audited at least annually against SOC 1 (SSAE18, ISAE 3402) and SOC 2 (AT Section 101) standards. Relevant data center(s) are certified in the international standard ISO/IEC 27001:2013 and PCI-DSS.
How can my company appoint GDPR-Rep as my representative?
The onboarding process is simple and can be completed in a couple of minutes, but the best is: We grant your company a 14 day trial to keep the appointment completely risk-free.
Choose a plan. The available plans depend on your company's size. The size of the company is defined according to the Eurostat categories and therefore by the number of persons employed. "Employees" includes part-time workers and freelancers.
Enter your company's details. Your risk-free 14 day trial period starts with completing this step.
After registering, you will find a download button for the Power of Attorney (PoA). A signed PoA is required to evidence the appointment of GDPR-Rep.eu as your representative in case of requests by data protection authorities. We kindly ask you to sign and upload your PoA.
Our back office team will check and verify the provided information on your company and the PoA. This is usually done within a couple of hours.
Every separate entity requires representation according to Art 27 GDPR. Nevertheless, GDPR-Rep.eu offers your group the option to sign up for a group package to manage the representation of your affiliates through one main account with sub-accounts for every affiliate. The requirement is a centeralised data protection management within the group to handle the main account and the sub-accounts with one centralised login. The number of affiliates depends on the package you signed up for. In the "small-enterprise package" one affiliate, in the "medium-sized enterprise package" up to 5 affiliates and the "large enterprise package" any number of affiliates are included. All included group entities must operate in the same industry, offer the same range of products and have the same or a linked brand.
You can choose monthly, quarterly and yearly payment. Your company gets a discount for the quarterly payment and an even higher discount for the yearly payment option. Please note that your company's options to terminate the subscription depend on the chosen payment period.
Furthermore, you can choose between paying with credit card, via bank transfer or via PayPal. We accept almost all credit cards and bank transfers in EUR and USD - US Dollar. Please contact our support team should you have further questions!
How can my company manage the representation?
In case individuals contact GDPR-Rep.eu with requests addressed to your company, GDPR-Rep.eu is processing personal data for your company. The data processing agreement for this type of processing is attached to your engagement letter which is provided to you during the onboarding process.