EU representative according to the GDPR

  • null
    EU representatives liaise with data protection authorities and data subjects in the EU. They help you to maintain your ROPA and can help you to achieve GDPR compliance.

  • null
    You fulfil the obligation to appoint a GDPR representative. You benefit from the extensive expertise of our lawyers on all data protection matters.

  • null
    From a basic representative service to our full-service GDPR support – depending on your chosen package.

The GDPR representative for non-EU businesses

The General Data Protection Regulation (GDPR) requires many companies that do not have offices, branches, or other establishments in the EU, but process the personal information of individuals within the EU to appoint a representative.

Basically, EU representatives liaise locally with individuals and national data protection authorities on behalf of data controllers or data processors with regard to their obligations under the GDPR. Furthermore, they maintain your records of processing activities (ROPA) and make these records available to supervisory authorities upon request.

Please note: Appointing an EU Representative alone does not ensure GDPR compliance. Your company still remains the controller or processor and must therefore comply with further obligations under the GDPR.

Requirements of an EU representative

Your EU representative must be located in the country where your data subjects are. Due to the nature of requests data protection supervisory authorities and data subjects may make, it is strongly advisable to appoint a representative that has a broad understanding of the relevant legal and technical data protection issues.

Furthermore, an EU representative should be able to communicate fluently in several European languages.

Choosing the right EU representative

As an established German data protection law firm, activeMind.legal is well-equipped to offer comprehensive GDPR services beyond the legally required minimum, if and when necessary. Our lawyers and experts have a broad understanding of the relevant legal and technical data protection issues enabling them to efficiently communicate with the authorities when necessary.

Besides representing your company with regard to its GDPR obligations, we can also help you establish the legally required records of processing activities and will advise you on the practical implementation of the GDPR within your organisation. Furthermore, we can draft all required data protection policies and support you with risk analysis and DPIAs.

How does the EU representative service work?

01.

Choose a package

Choose the relevant flat-rate plan, depending on how much support with data protection you would like to receive.
02.

Upload your data protection documents

If your organisation already has the required GDPR documents, such as records of processing activities, a data retention policy and a description of technical and organisational measures, etc. you can upload them so that they are available for reference by your representative.
03.

Set a date for an introductory discussion

One of our lawyers will contact you to set a date for an introductory discussion during which we guide you through the onboarding phase. This discussion will also help us to better understand your company’s activities in the EU and its processing of personal data. During the call, we will also gather information to establish your records of processing activities, if necessary.
04.

Ongoing advice

When the onboarding process is complete, we will provide you with ongoing data protection support in accordance with the flat-rate plan you have selected.

Our flat-rate packages

Basic

Fulfil the obligation to appoint an EU representative according to the General Data Protection Regulation.

Minimum contract duration:
12 months

190,00€ /month
Add to cart Excluding 19% tax

Business

Appoint an EU representative and receive essential data protection advice.

Minimum contract duration:
12 months

490,00€ /month
Add to cart Excluding 19% tax

Management

Appoint an EU representative and get proactive support with setting up your DPMS.

Minimum contract duration:
24 months

990,00€ /month
Add to cart Excluding 19% tax

What services are provided by an EU representative?

Please note, that the implementation of a data protection management system is mandatory. This means that all the points listed below are relevant to all companies and can be implemented with or without our support.
Service Basic Business Management
Appointment of a GDPR representative in all EU countries
Introductory discussion
Setting up of EU representative’s email address and support in updating your privacy notices to include the representative’s details.
Number of queries from data subjects or authorities i

Month or year mean calendar month or year.

2 / month

5 / month

15 / month

Maintaining the record of processing activities (ROPA)]

Unlimited number of privacy-related queries i

Query means related to the same issue. Questions or answers or matters on the same issue will not counted be separately. Example: A query that requires a total of two hours to resolve cannot – in principle - be divided into eight packages of 15 minutes.

per query ≤ 15 minutes per query ≤ 30 minutes per query ≤ 60 minutes
GDPR-compliant record of processing activities template with instructions
Creating the record of processing activities (or reviewing the existing record) -

5 processing activities / year

10 processing activities / year

Review of privacy policy on website (without webshop) -

1 / year

1 / year

Data processing as a controller: Review of the contract + technical and organisational measures (not onsite) - -

1 service provider / month

Advice on data protection impact assessment (DPIA) -
Data subject rights policy draft -
Data breach guidelines draft -
IT use policy draft - -
Data protection management handbook draft - -
(Internal) Privacy policy draft - -
Authorisation policy draft - -
Processing on behalf of a controller policy draft - -
Retention- and deletion policy draft - -
Risk assessment policy draft - -
Activity report 1 / year 1 / year 1 / year
Status discussion (via telephone) - 1 / year 1 / year
Monthly flat-rate fee 190 € 490 € 990 €
Minimum contract duration 12 months 12 months 24 months
Add to cart Excluding 19% tax
Add to cart Excluding 19% tax
Add to cart Excluding 19% tax
Service Basic
Appointment of a GDPR representative in all EU countries
Introductory discussion
Setting up of EU representative’s email address and support in updating your privacy notices to include the representative’s details.
Number of queries from data subjects or authorities i

Month or year mean calendar month or year.

2 / month

Maintaining the record of processing activities (ROPA)]

Unlimited number of privacy-related queries i

Query means related to the same issue. Questions or answers or matters on the same issue will not counted be separately. Example: A query that requires a total of two hours to resolve cannot – in principle - be divided into eight packages of 15 minutes.

per query ≤ 15 minutes
GDPR-compliant record of processing activities template with instructions
Creating the record of processing activities (or reviewing the existing record) -
Review of privacy policy on website (without webshop) -
Data processing as a controller: Review of the contract + technical and organisational measures (not onsite) -
Advice on data protection impact assessment (DPIA) -
Data subject rights policy draft -
Data breach guidelines draft -
IT use policy draft -
Data protection management handbook draft -
(Internal) Privacy policy draft -
Authorisation policy draft -
Processing on behalf of a controller policy draft -
Retention- and deletion policy draft -
Risk assessment policy draft -
Activity report 1 / year
Status discussion (via telephone) -
Monthly flat-rate fee 190 €
Minimum contract duration 12 months
Add to cart Excluding 19% tax
Service Business
Appointment of a GDPR representative in all EU countries
Introductory discussion
Setting up of EU representative’s email address and support in updating your privacy notices to include the representative’s details.
Number of queries from data subjects or authorities i

Month or year mean calendar month or year.

5 / month

Maintaining the record of processing activities (ROPA)]

Unlimited number of privacy-related queries i

Query means related to the same issue. Questions or answers or matters on the same issue will not counted be separately. Example: A query that requires a total of two hours to resolve cannot – in principle - be divided into eight packages of 15 minutes.

per query ≤ 30 minutes
GDPR-compliant record of processing activities template with instructions
Creating the record of processing activities (or reviewing the existing record)

5 processing activities / year

Review of privacy policy on website (without webshop)

1 / year

Data processing as a controller: Review of the contract + technical and organisational measures (not onsite) -
Advice on data protection impact assessment (DPIA)
Data subject rights policy draft
Data breach guidelines draft
IT use policy draft -
Data protection management handbook draft -
(Internal) Privacy policy draft -
Authorisation policy draft -
Processing on behalf of a controller policy draft -
Retention- and deletion policy draft -
Risk assessment policy draft -
Activity report 1 / year
Status discussion (via telephone) 1 / year
Monthly flat-rate fee 490 €
Minimum contract duration 12 months
Add to cart Excluding 19% tax
Service Management
Appointment of a GDPR representative in all EU countries
Introductory discussion
Setting up of EU representative’s email address and support in updating your privacy notices to include the representative’s details.
Number of queries from data subjects or authorities i

Month or year mean calendar month or year.

15 / month

Maintaining the record of processing activities (ROPA)]

Unlimited number of privacy-related queries i

Query means related to the same issue. Questions or answers or matters on the same issue will not counted be separately. Example: A query that requires a total of two hours to resolve cannot – in principle - be divided into eight packages of 15 minutes.

per query ≤ 60 minutes
GDPR-compliant record of processing activities template with instructions
Creating the record of processing activities (or reviewing the existing record)

10 processing activities / year

Review of privacy policy on website (without webshop)

1 / year

Data processing as a controller: Review of the contract + technical and organisational measures (not onsite)

1 service provider / month

Advice on data protection impact assessment (DPIA)
Data subject rights policy draft
Data breach guidelines draft
IT use policy draft
Data protection management handbook draft
(Internal) Privacy policy draft
Authorisation policy draft
Processing on behalf of a controller policy draft
Retention- and deletion policy draft
Risk assessment policy draft
Activity report 1 / year
Status discussion (via telephone) 1 / year
Monthly flat-rate fee 990 €
Minimum contract duration 24 months
Add to cart Excluding 19% tax

Choosing a package: Which one is right for my company?

Frequently asked questions about the EU representative

Which companies need an EU representative?

Article 27 GDPR requires companies that do not have offices, branches, or other establishments in the EU, but conduct business with European clients to appoint an EU Representative. Specifically, you must appoint an EU Representative if your organisation processes personal data in the following contexts:

  • Offering goods or services to individuals in the EU, or
  • Monitoring the behaviour of individuals in the EU.

This obligation applies to both data controllers and data processors.

What does an EU representative do?

An EU representative serves as a contact point between your company and individuals or data protection authorities in the EU. An EU representative therefore acts on your company’s behalf with regard to your obligations under the GDPR. Furthermore, the representative maintains your records of processing activities and makes these records available to supervisory authorities upon request.

Who can be an EU representative?

EU representatives can be external service providers, and the role can be performed by individuals or organisations, such as law firms, consultancies, or other private companies. They must be based in one of the countries where customers or data subjects that are being monitored are located.

What qualifications does an EU representative need?

The GDPR does not specify the minimum qualifications an EU representative should hold. However, it is strongly advisable to appoint a representative that has a broad understanding of the relevant legal and technical data protection issues in order to be able to communicate with the authorities efficiently. Furthermore, as an EU representative serves as the contact point between your company and data subjects or authorities, it is essential that the representative speaks the local language fluently.

Service description of our EU representative services:

Please note the following points relating to our EU representative services:

  1. All packages include the formal appointment of an EU Representative in accordance with Art. 27 GDPR. We will provide you with a sample appointment letter for your signature.
  2. We will be appointed as your company’s representatives in the whole of the EU. However, legal’s EU offices are located in Germany only. We are therefore only able to represent your company if it provides services or offers goods within Germany, or if it monitors the behaviour of individuals in Germany.
  3. Our employees have the required legal training and relevant practical experience in data protection and information security and are certified accordingly.
  4. The table above lists which individual services are offered within the scope of each package. To enable communication with the EU Representative, you must designate a contact person within your organisation and provide their contact details to activeMind.legal. Should the contact person change, you must inform us immediately.
  5. activeMind.legal will draft the documents and establish your records of processing activities in English. It is our understanding that this meets the requirements of the GDPR. Should a supervisory authority demand such records in a different language, you must ensure the relevant translations are provided and pay for them.
  6. The service is invoiced on a quarterly basis with a minimum term of twelve months. It will be extended for an additional 6 months from the end of the original period, if it is not terminated by written notice at least 3 months before the end of the original period. Cancellation must be in writing or via your user account on activeMind.shop.