EU Representative (Art. 27 GDPR)
Data Controllers and Data Processors not established in the EU (or EEA) that process personal data regarding data subjects located in the European Union have to designate a representative in the Union (Art. 27 GDPR). The representative serves as point of contact for the supervisory authorities and for data subjects in all matters relating to the processing of personal data. PLANIT // LEGAL will gladly take on this role and the related tasks for your company. For an efficient administration and documentation we provide you with access to our web portal PLANIT // DOCS.
Designation of an EU Representative
According to the European General Data Protection Regulation (GDPR) your company is obliged to appoint a representative in the European Union (EU) as contact for all questions on data protection from EU citizens and data protection supervisory authorities if both of the following conditions are met:
1. Your company is not established in the EU
This is the case if
- you do not have an office in an EU member state,
- you do not have a subsidiary in an EU member state, and
- you do not have any other kind of establishment in an EU member state.
2. Your company processes the data of people located in the EU
Your company processes the data of persons in the Union either in connection with the supply of goods or services (a) or to monitor the behaviour of these persons (b).
a) Offering Services or Products to Data Subjects in the EU
This is typically the case if you
- sell goods via an online shop,
- provide an online service or app
- deliver goods to customers in EU member states
- use EU website domains, such as .de, .fr, .es or .eu
- use languages (on your website) or accept currencies of at least one EU member state (e.g. US company accepts Euro, Chinese company with German website)
- use specific product branding for the EU market
- run marketing campaigns aiming at the EU market (e.g. landing pages for EU visitors, competition, raffle), or
- provide specific contact details for EU customers.
b) Monitoring the Behaviour of People in the EU
The GDPR also covers the processing of data for the purpose of monitoring the behaviour of individuals in the EU. This is typically the case if your company
- tracks website visitors from the EU by using cookies or device fingerprinting,
- collects location or behavioral data (e.g. through websites, mobile apps or market surveys), or
- offers fitness tracking, personalised diet and health analytics services online.
The Role of EU Representative and Documentation Requirements
The representative in the Union has the following statutory duties:
- to cooperate with the EU supervisory authorities on behalf of your company.
- to serve as contact for data subjects, for the purposes of ensuring compliance with the GDPR.
- to keep a record of data processing activities carried by your company.
Under the principle of accountability (Art. 5(2) GDPR) your company is obliged to maintain a documentation of all data subject requests.
We offer the following services as EU Representative:
- Designation: Designation of PLANIT // LEGAL as EU Representative of your company according to Art. 27 GDPR, covering all EU member states.
- Records of Processing Activities: We will establish and maintain records of your company‘s processing activities together with your company according to Art. 30 GDPR. On request, we will provide these records to the competent supervisory authorities.
- Contact Point / Hotline: As your EU Representative, we will be the contact for data subjects such as your customers and for supervisory authorities in all EU countries on all issues related to processing, for the purposes of ensuring compliance with the GDPR. We will provide a postal address in Hamburg (Germany), an E-Mail address and a telephone hotline (in German and English language, available Mo – Fr, 9 AM – 5 PM CET, except public holidays in Hamburg, Germany).
We will handle requests of data subjects or supervisory authorities:
- Translation: Requests in languages other than English are first translated into English. PLANIT // LEGAL carries out translations from German, French, Spanish, Italian and Dutch internally. For requests in other languages, PLANIT // LEGAL organises translation by a translation agency. On request, we can also provide translation into another language for your company.
- Processing: Requests will be documented, reviewed and forwarded to you. We will attach a short assessment in English categorizing the request (indicating whether it is a formal request under Art. 12-21 GDPR, a request by a supervisory authority, whether it may relate to a data breach, etc.) and suggesting further courses of action.
- GDPR management portal: We will provide you access to our web-based GDPR management portal where we manage and keep your registers of processing activities and documentation of all requests by supervisory authorities and data subjects.
- < 10 employees
- EUR 90/month plus VAT
- Includes handling of up to 1 request by data subjects and/or supervisory authorities via the GDPR management portal.
- 11–99 employees
- EUR 180/month plus VAT
- Includes handling of up to 3 requests by data subjects and/or supervisory authorities via the GDPR management portal.
- >100 employees
- Starting from EUR 300/month plus VAT
- Includes handling of up to 6 requests by data subjects and/or supervisory authorities via the GDPR management portal.
Any further requests not included in the monthly fee given above will be handled for EUR 50/request plus VAT via the GDPR management portal.
Translation expenses will be charged separately.