Our Services

An EU Representative is an EU-based designee of a non-EU establishment (Data Controller or Data Processor) that is subject to the General Data Protection Regulation (GDPR) of the EU. A natural (individual) or moral (corporation) person can play the role of an EU Representative. The EU Representative is the Controller’s or Processor’s contact person vis-à-vis European privacy supervisors and data subjects in all matters relating to data processing, to ensure compliance with this GDPR. See Art. 27(4)GDPR. The purpose of such representation is to enable the European data protection supervisory authorities to ensure compliance with the GDPR, by being able to control or supervise the activities of the non-EU establishments that are subject to the GDPR, through their respective representatives in the EU.

How Do I Know If I Am Subject To The GDPR?

It is worth stating that all establishments in the EU are subject to the GDPR, irrespective of whether the establishment is the company’s head office or just a simple branch or a representation, and irrespective of where the processing takes place. However, a non-EU establishment shall be subject to the GDPR if it regularly undertakes one of the following activities: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the EU; and/or (b) the monitoring of the behavior of data subjects in the EU, as far as their behavior takes place within the EU (see Art. 3(2) GDPR). This provision concerns any company that offers goods or services online to EU customers or uses cookies or similar technologies to track EU data subjects. Such establishments must comply with the GDPR, and thus obliged to designate an EU Representative.

However, a non-EU establishment is exempted from designating an EU Representative when the processing is only occasional and does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) GDPR or processing of personal data relating to criminal convictions and offences referred to in Article 10 GDPR, and such processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing. Non-EU public authorities and bodies are equally exempted. See Art. 27(2) GDPR.

Do I still need to designate an EU Representative?

As earlier mentioned, for a non-EU establishment to be exempted from the EU representation obligation, the company must either be a public body, or has at least a branch or a “representation” in the EU. So a European affiliate of a non-EU establishment is not a branch of the latter, and as such the non-EU establishment remains obliged to designate an EU Representative. The non-EU establishment may choose to designate its EU affiliate as its Representative. However, this type of representation has some shortcomings. Firstly, the object of the EU affiliate may not be data protection, so it would be of little help to the non-EU affiliate. Secondly, EU Representation and the associated data protection activities may not fall within the scope of the company’s insured activities. Thirdly and lastly, giving advice and monitoring the activities of the non-EU company as well as cooperating with the European regulators on the latter’s behalf, may not fall within the scope of activities of the DPO of the European affiliate. Moreover, this may rather seem to be over-demanding, especially if the DPO is a natural person.

What would happen if I fail to designate an EU Representative?

It is worth noting that the GDPR, in force since 25 May 2018, is known for being the most rigorous privacy law on earth at the moment, particularly due to its heavy fines and its extraterritorial character. If a foreign company that is subject to the GDPR refuses to designate an EU Representative as required, then the former is infringing the GDPR and runs the risk of being imposed an administrative fine of up to ten million Euros (10 000 000 EUR) or up to 2 percent of a company’s total worldwide annual turnover of the preceding financial year, whichever is higher. Ignorance of the GDPR would not be an excuse, and the intentional or negligent (willful blindness) character of the infringement (failure to designate an EU Representative) may rather constitute aggravating factors. See Art. 83(1),(2)&(4a) GDPR. It is for these very reasons that most foreign companies are in a haste to designate their respective EU Representatives, and CPL is here to help you have one.

Located in the Munich, the EU Representation service provided by CYBERLEGIS is the
rightful choice for a good number of reasons:

• Efficiency: CYBERLEGIS is a specialized provider for Art 27 GDPR services. It comprises of highly qualified and experienced privacy legal experts. We are proud of having satisfied all our clients, and we would be pleased to put our know-how at your service.
• Cost Effectiveness: CYBERLEGIS charges just by default 4000 EUR net per year for its EU representation services, irrespective of the client company’s annual turnover. This amount is reasonable, and it is far better than nominating one of your European affiliates to play this role, because it may raise noncompliance problems (e.g. a software company should not act as trustee) or may also be incompatible with insurance policies(e.g. acting as trustee in general not covered by classic corporate insurance policies). In case CYBERLEGIS offers to negotiate the price for a certain type of business.
• Insurance Coverage: CYBERLEGIS charges just by default 4000 EUR net per year for its EU representation services, irrespective of the client company’s annual turnover. This amount is reasonable, and it is far better than nominating one of your European affiliates to play this role, because it may raise noncompliance problems (e.g. a software company should not act as trustee) or may also be incompatible with insurance policies(e.g. acting as trustee in general not covered by classic corporate insurance policies). In case CYBERLEGIS offers to negotiate the price for a certain type of business.
• Professionalism: Thanks to our sense of professionalism, only specialized Art 27 GDPR Experts are allowed to act as EU Representatives
  or handle representation-related matters. When you choose the CYBERLEGIS, a particular expert with data privacy expertise and legal knowledge in privacy matters would be assigned to you, for proper attention. Moreover, unlike having to designate an EU affiliate company that might be specialized inother fields of business, data protection is the day-to-day activity of CYBERLEGIS.
• Assured Availability: In an effort to satisfy its clients, the designated EU Representative would be reachable not only from Monday to Friday (09:00h– 18:00h) via a team of English speaking secretaries, but equally at weekends via e-mail and cell phone. Also, there is continuity of service at the CYBERLEGIS, thanks to its reasonable number of staff, who would easily substitute each other in case of unforeseen circumstances. This may not be the case when you designate an individual, as everything may come to a standstill in case of an eventuality.

The designation procedure quite is simple. If you would like to start by
contacting the management of CPL, then kindly send an email to:

niedermeier@cyberlegis.eu

Mobile: +49 171 2440099

Generally, you would receive a reply within 24 hours.

We have standard document designating one of our expert Lawyers as your EU Representative. In this regard, you would receive a draft designation document, which you would print, sign, and send by post, in accordance with Art. 27(1) GDPR.