The GDPR representative for non-EU businesses
Basically, EU representatives liaise locally with individuals and national data protection authorities on behalf of data controllers or data processors with regard to their obligations under the GDPR. Furthermore, they maintain your records of processing activities (ROPA) and make these records available to supervisory authorities upon request.
Please note: Appointing an EU Representative alone does not ensure GDPR compliance. Your company still remains the controller or processor and must therefore comply with further obligations under the GDPR.
Requirements of an EU representative
Furthermore, an EU representative should be able to communicate fluently in several European languages.
Choosing the right EU representative
Besides representing your company with regard to its GDPR obligations, we can also help you establish the legally required records of processing activities and will advise you on the practical implementation of the GDPR within your organisation. Furthermore, we can draft all required data protection policies and support you with risk analysis and DPIAs.
How does the EU representative service work?
Choose a package
Upload your data protection documents
Set a date for an introductory discussion
Ongoing advice
Our flat-rate packages
Basic
Minimum contract duration:
12 months
Business
Minimum contract duration:
12 months
Management
Minimum contract duration:
24 months
What services are provided by an EU representative?
Service | Basic | Business | Management |
---|---|---|---|
Appointment of a GDPR representative in all EU countries | |||
Introductory discussion | |||
Setting up of EU representative’s email address and support in updating your privacy notices to include the representative’s details. | |||
Number of queries from data subjects or authorities i Month or year mean calendar month or year. |
2 / month |
5 / month |
15 / month |
Maintaining the record of processing activities (ROPA)] | |||
Unlimited number of privacy-related queries i Query means related to the same issue. Questions or answers or matters on the same issue will not counted be separately. Example: A query that requires a total of two hours to resolve cannot – in principle - be divided into eight packages of 15 minutes. |
per query ≤ 15 minutes | per query ≤ 30 minutes | per query ≤ 60 minutes |
GDPR-compliant record of processing activities template with instructions | |||
Creating the record of processing activities (or reviewing the existing record) | - | 5 processing activities / year |
10 processing activities / year |
Review of privacy policy on website (without webshop) | - | 1 / year |
1 / year |
Data processing as a controller: Review of the contract + technical and organisational measures (not onsite) | - | - | 1 service provider / month |
Advice on data protection impact assessment (DPIA) | - | ||
Data subject rights policy draft | - | ||
Data breach guidelines draft | - | ||
IT use policy draft | - | - | |
Data protection management handbook draft | - | - | |
(Internal) Privacy policy draft | - | - | |
Authorisation policy draft | - | - | |
Processing on behalf of a controller policy draft | - | - | |
Retention- and deletion policy draft | - | - | |
Risk assessment policy draft | - | - | |
Activity report | 1 / year | 1 / year | 1 / year |
Status discussion (via telephone) | - | 1 / year | 1 / year |
Monthly flat-rate fee | 190 € | 490 € | 990 € |
Minimum contract duration | 12 months | 12 months | 24 months |
Service | Basic |
---|---|
Appointment of a GDPR representative in all EU countries | |
Introductory discussion | |
Setting up of EU representative’s email address and support in updating your privacy notices to include the representative’s details. | |
Number of queries from data subjects or authorities i Month or year mean calendar month or year. |
2 / month |
Maintaining the record of processing activities (ROPA)] | |
Unlimited number of privacy-related queries i Query means related to the same issue. Questions or answers or matters on the same issue will not counted be separately. Example: A query that requires a total of two hours to resolve cannot – in principle - be divided into eight packages of 15 minutes. |
per query ≤ 15 minutes |
GDPR-compliant record of processing activities template with instructions | |
Creating the record of processing activities (or reviewing the existing record) | - |
Review of privacy policy on website (without webshop) | - |
Data processing as a controller: Review of the contract + technical and organisational measures (not onsite) | - |
Advice on data protection impact assessment (DPIA) | - |
Data subject rights policy draft | - |
Data breach guidelines draft | - |
IT use policy draft | - |
Data protection management handbook draft | - |
(Internal) Privacy policy draft | - |
Authorisation policy draft | - |
Processing on behalf of a controller policy draft | - |
Retention- and deletion policy draft | - |
Risk assessment policy draft | - |
Activity report | 1 / year |
Status discussion (via telephone) | - |
Monthly flat-rate fee | 190 € |
Minimum contract duration | 12 months |
Service | Business |
---|---|
Appointment of a GDPR representative in all EU countries | |
Introductory discussion | |
Setting up of EU representative’s email address and support in updating your privacy notices to include the representative’s details. | |
Number of queries from data subjects or authorities i Month or year mean calendar month or year. |
5 / month |
Maintaining the record of processing activities (ROPA)] | |
Unlimited number of privacy-related queries i Query means related to the same issue. Questions or answers or matters on the same issue will not counted be separately. Example: A query that requires a total of two hours to resolve cannot – in principle - be divided into eight packages of 15 minutes. |
per query ≤ 30 minutes |
GDPR-compliant record of processing activities template with instructions | |
Creating the record of processing activities (or reviewing the existing record) | 5 processing activities / year |
Review of privacy policy on website (without webshop) | 1 / year |
Data processing as a controller: Review of the contract + technical and organisational measures (not onsite) | - |
Advice on data protection impact assessment (DPIA) | |
Data subject rights policy draft | |
Data breach guidelines draft | |
IT use policy draft | - |
Data protection management handbook draft | - |
(Internal) Privacy policy draft | - |
Authorisation policy draft | - |
Processing on behalf of a controller policy draft | - |
Retention- and deletion policy draft | - |
Risk assessment policy draft | - |
Activity report | 1 / year |
Status discussion (via telephone) | 1 / year |
Monthly flat-rate fee | 490 € |
Minimum contract duration | 12 months |
Service | Management |
---|---|
Appointment of a GDPR representative in all EU countries | |
Introductory discussion | |
Setting up of EU representative’s email address and support in updating your privacy notices to include the representative’s details. | |
Number of queries from data subjects or authorities i Month or year mean calendar month or year. |
15 / month |
Maintaining the record of processing activities (ROPA)] | |
Unlimited number of privacy-related queries i Query means related to the same issue. Questions or answers or matters on the same issue will not counted be separately. Example: A query that requires a total of two hours to resolve cannot – in principle - be divided into eight packages of 15 minutes. |
per query ≤ 60 minutes |
GDPR-compliant record of processing activities template with instructions | |
Creating the record of processing activities (or reviewing the existing record) | 10 processing activities / year |
Review of privacy policy on website (without webshop) | 1 / year |
Data processing as a controller: Review of the contract + technical and organisational measures (not onsite) | 1 service provider / month |
Advice on data protection impact assessment (DPIA) | |
Data subject rights policy draft | |
Data breach guidelines draft | |
IT use policy draft | |
Data protection management handbook draft | |
(Internal) Privacy policy draft | |
Authorisation policy draft | |
Processing on behalf of a controller policy draft | |
Retention- and deletion policy draft | |
Risk assessment policy draft | |
Activity report | 1 / year |
Status discussion (via telephone) | 1 / year |
Monthly flat-rate fee | 990 € |
Minimum contract duration | 24 months |
Choosing a package: Which one is right for my company?
Frequently asked questions about the EU representative
Which companies need an EU representative?
Article 27 GDPR requires companies that do not have offices, branches, or other establishments in the EU, but conduct business with European clients to appoint an EU Representative. Specifically, you must appoint an EU Representative if your organisation processes personal data in the following contexts:
- Offering goods or services to individuals in the EU, or
- Monitoring the behaviour of individuals in the EU.
This obligation applies to both data controllers and data processors.
What does an EU representative do?
An EU representative serves as a contact point between your company and individuals or data protection authorities in the EU. An EU representative therefore acts on your company’s behalf with regard to your obligations under the GDPR. Furthermore, the representative maintains your records of processing activities and makes these records available to supervisory authorities upon request.
Who can be an EU representative?
EU representatives can be external service providers, and the role can be performed by individuals or organisations, such as law firms, consultancies, or other private companies. They must be based in one of the countries where customers or data subjects that are being monitored are located.
What qualifications does an EU representative need?
The GDPR does not specify the minimum qualifications an EU representative should hold. However, it is strongly advisable to appoint a representative that has a broad understanding of the relevant legal and technical data protection issues in order to be able to communicate with the authorities efficiently. Furthermore, as an EU representative serves as the contact point between your company and data subjects or authorities, it is essential that the representative speaks the local language fluently.
Please note the following points relating to our EU representative services:
- All packages include the formal appointment of an EU Representative in accordance with Art. 27 GDPR. We will provide you with a sample appointment letter for your signature.
- We will be appointed as your company’s representatives in the whole of the EU. However, legal’s EU offices are located in Germany only. We are therefore only able to represent your company if it provides services or offers goods within Germany, or if it monitors the behaviour of individuals in Germany.
- Our employees have the required legal training and relevant practical experience in data protection and information security and are certified accordingly.
- The table above lists which individual services are offered within the scope of each package. To enable communication with the EU Representative, you must designate a contact person within your organisation and provide their contact details to activeMind.legal. Should the contact person change, you must inform us immediately.
- activeMind.legal will draft the documents and establish your records of processing activities in English. It is our understanding that this meets the requirements of the GDPR. Should a supervisory authority demand such records in a different language, you must ensure the relevant translations are provided and pay for them.
- The service is invoiced on a quarterly basis with a minimum term of twelve months. It will be extended for an additional 6 months from the end of the original period, if it is not terminated by written notice at least 3 months before the end of the original period. Cancellation must be in writing or via your user account on activeMind.shop.