GDPR News » The Data Protection Representative in the EU, UK, and Switzerland: Common Ground and Key Differences

If you sell goods/services or monitor the behaviour of individuals in the EU, UK or Switzerland, you will eventually face a practical question: what is a data protection representative, and what is the difference between this role under the GDPR, UK GDPR, and the Swiss FADP?

The representative helps data subjects (i.e. individuals) and data protection authorities reach a non-local organisation efficiently, in a familiar jurisdiction, and in local languages.

For many companies, the EU GDPR and the UK GDPR feel like near-identical twins. In representative terms, that is mostly true. However, Switzerland’s FADP takes a similar concept and gives it a slightly different shape. 

In this article, you’ll learn the key differences between:

– the EU GDPR representative model,

– the UK GDPR representative model (largely a mirror), and

– the Swiss FADP representative model (similar intent, but with a narrower scope).

Below is the simplest way to remember the three models.

In both regimes, the core idea is the same: if you are outside the territory, but you are offering goods, services, or monitoring the behaviour of users, you may need a local representative.

In plain terms, the representative is appointed under a written mandate and is the local contact point for:

– data subjects (individuals) who want to exercise their rights or raise concerns; and

– data protection authorities, which can request information, such as having a look at the company’s Record of Processing Activities.

In addition, you are required to disclose the representative’s contact details on your website (e.g. privacy policy) or any other material that is appropriate (e.g. informed consent forms). 

The representative is mandated to be addressed, in addition to or instead of the company, by supervisory authorities and data subjects. In the EU, the representative must be established in a Member State where individuals whose data is being processed are located. There is no need to appoint one representative per Member State. To illustrate this with an example, if you appoint EDPO in Belgium, you are covered for the entire EU.

What does not change: you remain responsible for your compliance. A representative supports communication. It does not “transfer” legal responsibility. It’s important to note that a representative should not be confused with a data protection officer.

Switzerland’s FADP has a similar concept for foreign companies: the goal is still to ensure that individuals in Switzerland, and the Swiss authority, have a reachable local contact point.

Where the obligation applies, the controller must also transparently share the representative’s name and address, reinforcing the “easy-to-reach” objective. In addition, the representative also needs to hold the Record of Processing Activities of the company appointing a representative.

However, the trigger is narrower and more conditional. A company established abroad must appoint a Swiss representative only in the following circumstances:

• It is acting as a private controller (i.e. this excludes companies acting as processors);
• It is offering goods or services to people in Switzerland or monitoring their behaviour there (this point is mirrored in the EU and UK GDPR);
• It is processing personal data on a large scale;
• It is processing personal data on a regular basis; and
• Its processing activities pose a high risk to individuals.

On this last point, we often see confusion from clients and prospective clients as to whether their processing activities qualify as “high risk.” In this context, it is helpful to refer to the guidance provided in the Swiss FADP FAQ, which offers useful clarification on how this assessment should be approached.

As per the FAQ , it has to be assessed on a case-by-case basis. “High risk” may arise from factors such as the volume and type of personal data processed (especially sensitive data), the purpose of the processing, and how the data is processed (for example, using new technologies). It may also depend on whether the data is disclosed abroad and how widely it can be accessed (for example, by a large, or even unlimited, number of people).

1. EU GDPR Representative (Article 27): local contact point in the EU for companies under the extra-territorial scope of the GDPR.  
2. UK GDPR Representative (Article 27): same concept but located in the UK.  
3. Swiss FADP Representative (Article 14): Swiss contact point, required only in narrower cases (typically regular, large-scale, high-risk processing tied to companies acting as controllers only).

> Your Representative Across different jurisdictions

Here is what sets us apart:

• Focused and dedicated: EDPO’s sole activity is acting as a Representative. We offer these services under the EU GDPR, UK GDPR and/or Swiss data protection law, as well as multiple other legislations containing this requirement.
• Strategic locations: Coverage across the EU/EEA, the UK, and Switzerland, with headquarters in Brussels close to EU institutions and stakeholders.
• All-in transparent and tailored fees: Flat, all-inclusive pricing with no hidden charges; packages aligned to employee numbers and the type/volume of personal data processed.
• More than a messaging hub: Full handling of requests from (and responses to) data subjects and data protection authorities, including translation and data breach notification support.
• Recognized professionals: Multilingual, multidisciplinary team (legal, IT, security, risk), including certified privacy professionals. We are also on the official vendor list of the IAPP (International Association of Privacy Professionals).
• Top-level security with ISO 27001 certification: We are proud to be ISO 27001 certified, which is the latest, highest and most comprehensive in-depth security certification.
• Compliant and ethical contract: Clear mandate and obligations, with continued support and no automatic termination if you experience a data breach.
• Easy client onboarding: Simple, friendly, fully digital onboarding designed to get you compliant quickly with Article 27 (EU & UK GDPR) and the relevant Swiss requirements.
• Top-notch services in our DNA: High responsiveness and professionalism as a core service principle for clients, individuals, and authorities.
• Worldwide knowledge network: Ongoing monitoring of data protection developments, with regular insights and updates shared with clients (including newsletter content, where relevant).
• Extensive insurance coverage: Robust insurance in place so an incident affecting one client does not jeopardise service delivery to others.

EDPO is only and exclusively acting as a representative under certain EU, UK and Swiss legal frameworks. We do not operationalize compliance obligations or provide consultancy or legal advice.