Our EU Representative Services
Do you need to Appoint a Data Protection Representative in the EU?
- Your company is based outside the EU/EEA* and doesn't have an establishment there
- Your company offers goods or services to individuals in the EU/EEA* (for payment or for free) and/or you monitor their behavior (such as tracking, profiling, etc.)
Still not sure if you need to appoint a Data Protection Representative?
We provide a full range of high-quality representation services
We strive to understand your needs and expectations to provide you with personalized services.
We act in your name and on your behalf in the entire EU/EEA for GDPR purposes. We are located in Brussels, the EU’s capital, and are therefore close to EU institutions, decision-makers and influencers. We also have offices throughout Europe to support you as closely as possible as your GDPR representative. As confirmed by the Guidelines of the European Data Protection Board, your EU representative must only be established in one – and only one – of the EU/EEA countries where the data subjects whose personal data your company processes are located. If your company processes personal data of individuals who are located in more than one EU country, then you can choose in which country to appoint your EU representative.
We handle an unlimited number of DSARs across the entire EU/EEA. By “handling”, we mean that we receive requests, perform identity checks (if you instruct us to do so), forward the requests to you (with a free English translation if needed), answer your questions as to best practices on how to respond to the requests and reply to the data subjects on your behalf (with, again, a free translation if needed), unless you choose to answer yourself. We aren’t just a mailbox or message forwarding service.
Requests from Data Protection Authorities
We handle an unlimited number of requests from DPAs in the EU/EEA. We understand that it can be quite daunting for companies to be contacted by DPA’s. That’s why our team handles such requests with great care and diligence (including free translation if needed).
IMPORTANT NOTICE IN CASE OF DATE BREACH: Our contract will not automatically terminate in the event that you experience a data breach. We support you all the time and all the way.
We provide you with a GDPR Article 27 Compliance Certificate based on data protection technology through a unique high-level encryption / decryption process (including Blockchain technology) which can be used on your website and on your company material. Check our compliance page to see what it looks like!
We are proud to be ISO 27001 certified, which is the latest, highest and most comprehensive in-depth security certification. It demonstrates our commitment to information security and confirms that we implemented industry-leading security practices to protect our clients data. The scope of our certification covers all our processes involved in the provision of data protection Representative services in the EU/EEA and in the UK for companies located outside the EU/EEA and/or the UK, pursuant to Article 27 of the EU & UK GDPR.
We answer all your questions about our services and keep you updated with a weekly newsletter. Our experts are at your disposal to assist you beyond local office hours, accommodating your international time zone.
We provide you with a free English translation of all requests from data subjects and data protection authorities as well as a free English-to-original language reply. We also provide you with access to our digital data breach notification platform which includes an English translation of the data breach notifications forms of the relevant Data Protection Authorities in the EU/EEA.
We provide you with the wording that you have to include in your privacy policy on your website or in other documents (e.g. those required in clinical trials) with respect to the appointment of EDPO as your EU representative, including EDPO’s contact details and logo.
EDPO
Just Stands Out
Partner and Head of the European Cyber/Data/Privacy practice of a top-tier American international law firm
What should you look for in an EU & UK Data Protection Representative ?
- What services are included? Are there any extra (hidden) costs?
- What languages are covered? Is translation included in the fees?
- Who is the team? What are their qualifications and experience?
- Does the Data Protection Representative provide data breach notification support?
- What services are included? Are there any extra (hidden) costs?
- What languages are covered? Is translation included in the fees?
- Who is the team? What are their qualifications and experience?
- Does the Data Protection Representative provide data breach
notification support?
We cover the world. We cover all industries.
You'll find below a non-exhaustive list of industries that already work with us.
Frequently Asked Questions
Check our FAQ page for more questions and answers.
How does the EU Representative assist non-EU companies?
The main task of the Data Protection Representative in the EU is to act as a point of contact for the data protection authorities and individuals in the EU whose personal data is being processed by non-EU companies.
The representative acts on behalf of non-EU companies, performing its tasks according to the mandate received from them, including cooperating with the data protection authorities with regard to any action taken to ensure compliance with the GDPR.
The Data Protection Representative also has to maintain records of the processing activities of their clients.
Where does the EU Representative have to be located?
Your EU GDPR representative must be located in a (single) country in the EU where the individuals whose data are being processed are located. If your company generally targets the entire EU, then it can choose the country where it wants to base its representative. As Brussels is the capital of the EU, it is a preferred location for non-EU companies to designate their GDPR representatives.
Do your services cover all EU countries or only certain countries?
Our services cover the entire EU/EEA by default. If your company is only active in certain countries, please let us know, as this will impact the choice of the country where you need to appoint us. That being said, if your company is active everywhere in the EU/EEA or plans to grow, you’ll always be covered.
Does designating a Data Protection Representative release the non-EU companies from liability and responsibility?
NO. The GDPR clearly states that the designation of a Data Protection Representative does not affect the responsibility and liability of the non-EU companies that fall within the scope of the GDPR. The designation is without prejudice to legal actions which could be initiated against the non-EU companies.
How much does it cost to appoint an EU Representative?
Our Data Protection Representative fees are based on the size of your company (in terms of number of employees), the type of data (regular data and/or sensitive data) that your company processes, whether or not your company’s processing operations require regular and systematic monitoring of individuals in the EU and whether your company processes personal data on a large scale. All packages can be tailored to your company’s specific needs.
Click here to know more about our EU Representative fees.
If you also need to appoint us as a UK or a Swiss Representative, please let us know as we have discounted prices.
Do the EU representative services cover the UK or Switzerland too?
No. Given that the UK has left the EU, it is a separate jurisdiction which has its own UK GDPR. Switzerland is not in the EU/EEA and also has its own Data Protection Law. If your company is active in the EU, UK and Switzerland, you will need to appoint up to three Representatives. Head over to our UK Representative page or our Swiss Representative page to learn more.
What is personal (regular) data?
Personal data under the GDPR has a very broad interpretation and includes any information that relates to an identified or identifiable natural person: name, pictures, addresses, phone numbers, e-mail addresses, IP addresses (even dynamic), identification numbers, location data, age, origins, pseudo, etc.
What is sensitive data ?
Sensitive data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.
What is considered to be processing “on a large scale"?
The GDPR and UK GDPR do not define what constitutes “large scale” processing but guidelines recommend that the following factors be considered when determining whether the processing is carried out on a large scale:
- The number of individuals concerned – either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing include:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
- processing of patient data by an individual doctor
- processing of personal data relating to criminal convictions and offences by an individual lawyer
The Swiss Authority defines large scale: “The term "large-scale" refers to cases where data is not simply processed in an isolated way. For example, a medical practice or hospital might process patient data. On the other hand, the isolated processing of the data of an employee who is absent due to illness by a company does not constitute large-scale processing. Large-scale processing occurs in particular when the processing of sensitive data constitutes the essential part of the activities of the person or body in question.”)