Frequently Asked Questions
about the EU Data Privacy Representative.

The EU General Data Protection Regulation (GDPR) has a broad scope of application. It applies to any personal information, which may include name, contact details including e-mail address, payment information, IP address, device fingerprints, as well as location and other behavioral data.

It not only affects companies with establishments in EU member states, but also includes non-EU based companies which collect, receive, retain or otherwise use personal information on individuals in the EU, given that the company:

• offers goods or services to individuals in the EU, irrespective of whether such services are chargeable or free, or
• monitors the behavior of individuals.

Therefore, as a condition for the GDPR to apply, the company must somehow target the EU market. The threshold is very low as this may include, among others, the following business activities:

• budgeting ad campaigns targeted at consumers in the EU, such as through search engines and social networks, or displaying testimonials from the EU,
• offering services with an international nature, such as certain touristic activities,
• using EU website top-level domains such as .de, .fr., .es. or .eu or providing EU language versions of an online service or mobile application, if different from the language commonly used in the country where the company is based,
• accepting payments in Euro or another EU currency,
• mentioning the EU or its member states in the context of a good or service, or providing specific support contact details for EU customers,
• delivering goods to EU member states,
• profiling, including behavioral advertisement and processing of geolocation data, particularly for marketing purposes,
• online tracking with cookies or other tracking techniques such as device fingerprinting
• personalized digital diet and health analytics services,
• market surveys and other behavioral studies based on individual profiles,
• CCTV.

Depending on the individual case, the company may already be subject to the GDPR if only one of these triggers apply.

The scope also includes service providers which do not use personal data for their own purposes, but only on behalf of others (e.g. cloud services, SaaS providers).

To learn more about the extraterritorial scope of the GDPR, please click here for a summary of official EU guidelines or contact us.

Find out if you need to appoint an EU REP.

The obligation to appoint an EU representative pursuant to Art. 27 of the General Data Protection Regulation (GDPR) applies to any company

• without an establishment in at least one of the EU member states,
• which processes personal information being subject to the GPDR (see question above).

Exempted are companies who meet the following requirements:

• only occasional processing of personal data of individuals in the EU,
• no large-scale processing of sensitive data such as information on health or criminal convictions, and
• processing is unlikely to result in a risk for individuals (e.g. using customer data only to fulfill a one-time order and no further data retention for marketing purposes).

Since these requirements must be met cumulatively, the scope for the exception is quite narrow. Whether such exception applies requires legal review in the individual case.

The main functions of an EU representative are, by law:

• to act as a local point of contact inside the EU for all inquiries relating to issues of data protection, particularly for customers and data protection supervisory authorities, often with legal effect for the company,
• to retain records of processing activities (Art. 30 GDPR) of the company in the EU,
• to cooperate with supervisory authorities in case of investigations.

EU-REP.Global is specialized in fulfilling these abovementioned requirements in a compliant and customer-friendly manner. In case you need additional services relating to data protection compliance, such as legal advice or the appointment of a Data Protection Officer pursuant to Art. 37-39 of the GDPR, we will be glad to get you in touch with our partners.

In case your company is obliged to appoint an EU representative but fails do to so, EU data protection supervisory authorities may issue penalties of up to 10 mio. € or 2% of your company’s global annual turnover, whichever is higher. According to EU laws, those fines may also be enforced against entities established in non-EU states.

Another aspect is that, since awareness in the EU regarding matters of data protection has raised enormously, your B2B or B2C customers in the EU pay attention whether you comply with GDPR obligations. The consequences of negative publicity coming along with reports on non-compliance may even exceed the damage caused by financial penalties.

Apart from general business compliance, appointing an EU representative triggers a one-stop shop for security incident reporting under the GDPR. If, for example, exploitable vulnerabilities cause an unauthorized disclosure of user data, companies are required to report such data breaches to the data protection supervisory authorities in Europe. Since there are 43 different national authorities, rolling out breach notifications is time-sensitive and costly, particularly considering that notifications must be within 72 hours. Companies with an appointed EU representative only need to submit a report to one single authority, even if the breach affects users in all EU countries.

The UK has left the European Union as of January 31, 2020. EU laws including the GDPR, however, continue to apply in the UK due to a transitional period which was agreed on under the UK Withdrawal Agreement between the EU and the UK at least until January 1, 2021. From then on, in the UK, a "national version" of the GDPR will govern matters of data protection.

With regard to the GDPR representative requirement, 3 different scenarios should be distinguished:

• Companies which are located neither in the EU nor in the UK (but are doing business with the EU and UK) will need to appoint an EU representative as well as a separate UK representative.
• Companies which are located in the EU (and do business with the UK) will need to appoint a UK representative.
• Companies which are located in the UK (and do business with the EU) will need to appoint an EU representative.

Whatever applies to your business, EU-REP.Global is ready to cover all legal requirements.

If you choose EU-REP.Global as your GDPR EU representative service, we will get you started as quickly as possible:

• We will review your company details and provide you with an offer to sign up for our services. Thereby you also grant us a power of attorney, which is required by law. We will not make any binding statements on your behalf without your prior approval.
• We will set up your individual e-mail account (customer@eu-rep.global) and postal address to be addressed for your customers and supervisory authorities.
• We will receive and keep for you the necessary documents, particularly records of processing activities (Art. 30 GDPR).
• We will provide you with advice on how to implement our contact details into your privacy policy.
• We will review any incoming communication for a brief legal risk assessment and forward it to you immediately. Our support is always available to assist you in case you have any queries.

You can settle the invoices by bank wire (EU bank account), credit card, or PayPal. Our services are charged on an annual basis.

If you represent a group of companies that require EU GDPR representative services, please contact our sales team at service@eu-rep.global.

EU-REP.Global itself is specialized in GDPR EU representative services. Depending on your individual demands, we are able to establish contact to our partners that offer the following services:

• Full legal GDPR compliance advice
• Privacy dispute resolution
• GDPR Data Protection Officer
• Hands-on implementation advice
• Many other services relating to GDPR

Please contact us for further information.