Your benefits
-
Special knowledge in GDPR
We dealt with the General Data Protection Regulation at a very early stage and therefore have extensive specialized knowledge.
-
Pragmatic solutions
Through many years of experience in different company types, industries, and structures, we offer practice-proven solutions.
-
Data protection and IT expertise
The various qualifications of our consultants in data protection and information technology are unique in the industry.
Your EU representative in all matters relating to the GDPR
According to Article 27 (1) GDPR, companies need an EU representative if, as a controller or processor, either offer goods or services to data subjects or monitor the behaviour of data subjects in the Union, and are not established in the EU – but in a so-called third country. The EU representative acts as an additional contact person for supervisory authorities and data subjects within the EU. With the written appointment, he acts on behalf of the controller and must fulfil the tasks and obligations pursuant to Article 27 GDPR.
There are no specific requirements for the qualifications of the EU representative. However, he or she should have legal expertise in data protection law and a high level of technical understanding to be able to communicate with the supervisory authorities at eye level. Our consultants are lawyers with a great deal of expertise in European data protection law. With our wealth of knowledge and experience built up over decades, we ensure compliance in data protection while taking a very pragmatic approach. In the function of EU representative, we represent your interests in the European Union in compliance with European data protection regulations. We support you in fulfilling the obligations under Article 27 GDPR and, if requested, advise you on how to implement your business activities in the European Union in a data protection-compliant manner.
For many years, we have been advising companies in an international context and have contributed to ensuring compliance. As your EU representative, we support you in fulfilling your obligations under Article 27 GDPR within Europe. We know the tasks and obligations very well and act as an adequate contact point in all matters for supervisory authorities and data subjects. In doing so, we always consider the individual and structural circumstances of the company and bring them into line with compliance with the European requirements.
Our extensive experience in setting up a complaints management system for data subjects enables us to draw on established processes and best practices. We have extensive experience in communicating and dealing with supervisory authorities. We will maintain your records of processing activities and will also be happy to support you in creating the records in accordance with the requirements of Article 30 GDPR. For the implementation of these documentation requirements, you can use our data protection management software Guardileo, if required.
How we can support you as your EU representative
- Fulfilling the position of an EU representative in accordance with Article 27 GDPR
- Acting as a contact point for communication with supervisory authorities
- Acting as a contact point for data subjects concerning all matters related to data protection
- Addressing data subjects’ requests
- Assisting in the preparation and maintenance of the record of processing activities
Frequently asked questions about the EU representative
We’ll tell you what you should know about the role of the EU representative.
A company must appoint an EU representative pursuant to Article 27 (1) GDPR if this company (i.e., the represented party) offers goods or services within the EU to data subjects or monitors their behaviour in the EU in accordance with the marketplace principle laid down in Article 3 (2) GDPR, but does not have an establishment in the EU, i.e., within the scope of the GDPR, but instead is established in a third country.
- Accordingly, there must be a targeted processing of personal data of data subjects located in the EU, regardless of their nationality/legal status (Recital 14) and
- the specific data processing must relate to the offering of goods or services (including free of charge) or behavioural monitoring in the EU.
Exceptions only apply in the case of occasional processing of personal data with low sensitivity, which does not result in a risk to the rights and freedoms of natural persons, or if the company is a public authority or body. If these exceptions do not apply, the designation of an EU representative is mandatory by law and therefore required. If the designation is not made despite the existence of the above-mentioned requirements, the competent supervisory authority may impose an administrative fine on the company in question.
The concrete tasks and duties of the representative result from Article 27 (4) GDPR in conjunction with. Recital 80 sentence 5 as well as from the contract with the represented party. Essentially, the EU representative shall act as a concrete contact point for data subjects as well as supervisory authorities. The following tasks and duties are essentially covered by this:
- Maintaining and making available the records of processing activities in response to requests from supervisory authorities, insofar as these activities are subject to the responsibility of the representative. This includes processing activities for which the territorial scope of application is opened pursuant to Article 3 (2) GDPR (Article 30 GDPR).
- Cooperation with the supervisory authority in the performance of its tasks (Article 31 GDPR).
- Provision of all information required by the supervisory authority in the performance of its tasks (Article 58 (1) (a) GDPR). The supervisory authority may accordingly require the EU representative to provide the necessary information.
- Additional contact point for the supervisory authority, data subjects, and, where applicable, other bodies for all issues relating to the processing of personal data, Article 27 (4) GDPR.
- Pursuant to Section 44 (3) sentence 1 German Federal Data Protection Act, the representative is authorised to accept official service in civil court proceedings (only applies to actions brought by data subjects against the controller or processor).
The EU representative must be established in one of the EU Member States where the data processing takes place or where the data subjects are located. Pursuant to Article 27 (1) GDPR, the controller or processor, in cases pursuant to Article 3 (2), shall designate in writing a representative in the Union. In addition, the controller or processor shall expressly appoint the representative and instruct him or her in writing. The GDPR does not provide any further specific requirements regarding the duration of the designation, the possibility of revocation or termination.
In practice, the function of a representative in the Union may be exercised based on a service contract. The contract should regulate the responsibilities, tasks and powers incumbent on the EU representative under Article 27 GDPR. It is not necessary to inform the supervisory authorities about the EU representative. The EU representative should be named in the data protection information (Article 13, 14 GDPR) and in the records of processing activities.
Competence of more than 60 consultants
- Fully qualified lawyers (2 state examinations), including attorneys with doctorates
- Specialists in IT law, intellectual property law, copyright and media law, insurance law and social law
- Master of Laws in IT law, media law, intellectual property law and industrial property law
- Bachelor of Laws in information law and business law
- TÜV‑certified data protection officers and data protection auditors
- Certified Information Privacy Manager (CIPM), Certified Information Privacy Professional (CIPP/E)
- IT‑Compliance Manager (ISACA) and Compliance Officer (TÜV)
- Data Protection Officer following association criteria (BvD)
- BSI certified audit team leader for ISO 27001 based on IT baseline protection and IS auditor
- ISO/IEC 27001 Lead Auditor, ISO/IEC 27001 Implementer, ISO/IEC 27001 Practitioner
- GIAC Certified Forensic Examiner, GIAC Advanced Smartphone Forensics, GIAC Reverse Engineering Malware, GIAC Cyber Threat Intelligence, GIAC Certified Incident Handler, GIAC Penetration Tester, GIAC Battlefield Forensics and Acquisition
- IT Security Officer (TÜV)
- Computer scientist and business information scientist
- Master of Engineering IT Security and Forensics
- Bachelor of Science General and Digital Forensics
- Cyber Security Practitioner (ISACA), IT Information Security Practitioner (ISACA)