EU GDPR Data Protection Representative Services
What is a GDPR Data Protection Representative?
A GDPR Data Protection Representative is a legal entity designated under Article 27 of the GDPR to act on behalf of non-EU companies. The representative serves as a point of contact for EU data protection authorities and individuals regarding the processing of personal data.
Do You Need to Appoint an EU GDPR Data Protection Representative?
Eligibility Criteria
- Your company is not established in the EU/EEA
- You offer goods or services to individuals in the EU (paid or free)
- You monitor the behaviour of individuals in the EU (e.g. tracking, profiling)
EDPO GDPR Data Protection Representative Services
EU/EEA Representation Coverage
Requests from Data Protection Authorities
Data Breach Notification Support
GDPR Article 27 Compliance Certificate
ISO 27001 Certified Security
Benefits of Choosing EDPO
- Strategic location in Brussels, close to EU institutions
- Transparent and all-inclusive pricing
- Multilingual legal and cybersecurity experts
- Unlimited handling of regulatory and data subject requests
How to Appoint Your GDPR Data Protection Representative
Here is our checklist for the appointment of your Data Protection RepresentativeUse the form below to request a free quote or take our free assessment test to determine your obligations under the GDPR.
What services are included? Are there any extra (hidden) costs?- What languages are covered? Is translation included in the fees?
- Who is the team? What are their qualifications and experience?
- Does the Data Protection Representative provide data breach notification support?
- What services are included? Are there any extra (hidden) costs?
- What languages are covered? Is translation included in the fees?
- Who is the team? What are their qualifications and experience?
- Does the Data Protection Representative provide data breach
notification support?
We cover the world. We cover all industries.
You'll find below a non-exhaustive list of industries that already work with us.
FAQ – GDPR Data Protection Representative
Check our FAQ page for more questions and answers.
How does the EU Representative assist non-EU companies?
The main task of the Data Protection Representative in the EU is to act as a point of contact for the data protection authorities and individuals in the EU whose personal data is being processed by non-EU companies.
The representative acts on behalf of non-EU companies, performing its tasks according to the mandate received from them, including cooperating with the data protection authorities with regard to any action taken to ensure compliance with the GDPR.
The Data Protection Representative also has to maintain records of the processing activities of their clients.
Where does the EU Representative have to be located?
Your EU GDPR representative must be located in a (single) country in the EU where the individuals whose data are being processed are located. If your company generally targets the entire EU, then it can choose the country where it wants to base its representative. As Brussels is the capital of the EU, it is a preferred location for non-EU companies to designate their GDPR representatives.
Do your services cover all EU countries or only certain countries?
Our services cover the entire EU/EEA by default. If your company is only active in certain countries, please let us know, as this will impact the choice of the country where you need to appoint us. That being said, if your company is active everywhere in the EU/EEA or plans to grow, you’ll always be covered.
Does designating a Data Protection Representative release the non-EU companies from liability and responsibility?
NO. The GDPR clearly states that the designation of a Data Protection Representative does not affect the responsibility and liability of the non-EU companies that fall within the scope of the GDPR. The designation is without prejudice to legal actions which could be initiated against the non-EU companies.
How much does it cost to appoint an EU Representative?
Our Data Protection Representative fees are based on the size of your company (in terms of number of employees), the type of data (regular data and/or sensitive data) that your company processes, whether or not your company’s processing operations require regular and systematic monitoring of individuals in the EU and whether your company processes personal data on a large scale. All packages can be tailored to your company’s specific needs.
Click here to know more about our EU Representative fees.
If you also need to appoint us as a UK or a Swiss Representative, please let us know as we have discounted prices.
Do the EU representative services cover the UK or Switzerland too?
No. Given that the UK has left the EU, it is a separate jurisdiction which has its own UK GDPR. Switzerland is not in the EU/EEA and also has its own Data Protection Law. If your company is active in the EU, UK and Switzerland, you will need to appoint up to three Representatives. Head over to our UK Representative page or our Swiss Representative page to learn more.
What is personal (regular) data?
Personal data under the GDPR has a very broad interpretation and includes any information that relates to an identified or identifiable natural person: name, pictures, addresses, phone numbers, e-mail addresses, IP addresses (even dynamic), identification numbers, location data, age, origins, pseudo, etc.
What is sensitive data ?
Sensitive data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.
What is considered to be processing “on a large scale"?
The GDPR and UK GDPR do not define what constitutes “large scale” processing but guidelines recommend that the following factors be considered when determining whether the processing is carried out on a large scale:
- The number of individuals concerned – either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing include:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
- processing of patient data by an individual doctor
- processing of personal data relating to criminal convictions and offences by an individual lawyer
The Swiss Authority defines large scale: “The term "large-scale" refers to cases where data is not simply processed in an isolated way. For example, a medical practice or hospital might process patient data. On the other hand, the isolated processing of the data of an employee who is absent due to illness by a company does not constitute large-scale processing. Large-scale processing occurs in particular when the processing of sensitive data constitutes the essential part of the activities of the person or body in question.”)