Frequently Asked Questions

Do I need an EU-representative according to Art 27 GDPR?


Which companies need an EU representative?

Companies established outside the EU are required to appoint an EU representative according to Art 27 GDPR in the EU if they:

  • offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or

  • monitor their behaviour (e.g. cookie profiling).

Are there any exemptions from the obligation to appoint an EU representative?

According to Art 27 GDPR, controllers or processors are exempted from the regulation if all of the following criteria are met:

  • personal data is only processed occasionally,

  • data processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences, and

  • data processing is unlikely to result in a risk to the rights and freedoms of data subjects.

What are the responsibilities of the representative?

The representative shall act as a middleman between authorities and data subjects on the one hand and the processor and controller outside the EU on the other hand. The representative needs to be mandated by the controller or processor in writing to be addressed by supervisory authorities and data subjects on all privacy issues. Furthermore, the representative shall according to Art 30 GDPR maintain the records of processing activities and shall make the record available to the supervisory authority on request.

What fine may be imposed for non-compliance?

The GDPR extends its ‘territorial scope’ to controllers and processors having their registered office in a country outside of the EU. As a result, the exorbitantly high penalties of up to EUR 10 Mio or 2% of the worldwide annual turnover apply if a processor or a controller does not comply with the obligation of appointing an EU representative. The penalties may be enforced by individual claims or by authorities.

How can GDPR-Rep.eu help me/my business?


Who is GDPR-Rep.eu?

GDPR-Rep.eu is a service provided by the iuro | Maetzler Rechtsanwaelte GmbH & Co KG attorney at law, a law firm qualified in the European Union, located in Vienna. iuro specialises on data protection law and acts as Data Protection Officer and Representative for customers all over the world. The service has been created and continues to be improved by a team of lawyers, IT-security specialists and software developers.

What are the GDPR-Rep.eu services?

GDPR-Rep.eu has automated the role of the representative and offers a representation complying with Art 27 GDPR as a SaaS solution. The basic service of GDPR-Rep.eu contains:

  • an individual privacy landing page with a contact form for data subjects and authorities

  • a certificate of representation

  • unlimited forwarding of electronic requests from data subjects

  • unlimited forwarding of postal messages from data subjects

  • unlimited forwarding of requests from supervisory authorities

  • Individual bespoke legal services, especially answering requests by data subjects or authorities. Advisory or consulting services are not included in the SaaS solution but offered separately by iuro.

How can I appoint GDPR-Rep as my representative?


What is the process of appointing GDPR-Rep.eu as EU representative?
  1. Choose the subscription that fits the size of your company – start-ups, micros, small enterprises, medium-sized enterprises or large enterprises. The categories are based on the common European classification of companies by the number of employees.

  2. Fill in the registration form and choose a payment method. Please note that the default payment method is payment with credit card. If you would like to pay via bank transfer, please contact us [link zum Kontaktformular].

  3. After registering, you will find a download button for the Power of Attorney (PoA). A written PoA is required to evidence the appointment of GDPR-Rep.eu as your representative in case of requests by data protection authorities. We kindly ask you to sign and upload your PoA.

  4. Our back office team will check and verify the provided information on your company and the PoA. This is usually done within minutes but can take up to one business day in case of a high number of requests.

  5. After the PoA has been approved, you can log in to your dashboard where you can find information on what you can include in your homepage and privacy policy to get started.

How does GDPR-Rep.eu verify the existence of my company?

Our verification and identification process is based on a so-called “penny transfer”. We ask you to provide the credit card details of your company and charge you EUR 1. If this transfer is successful, we rely on the Know-Your-Customer check of your bank.

What are my payment options?

You can choose monthly, quarterly and yearly payment. You get a discount for the quarterly payment and an even higher discount for the yearly payment option. Please note that your options to terminate the subscription depend on the chosen payment period.

Furthermore, you can choose between paying with credit card or via bank transfer. We accept almost all credit cards and bank transfers in all major currencies: AUD - Australian Dollar, BRL - Brazilian Real, CAD - Canadian Dollar, CHF - Swiss Franc, EUR - Euro, GBP - Pounds Sterling, HKD - Hong Kong Dollar, HRK - Croatian Kuna, JPY - Japanese Yen, NOK - Norwegian Krone, NZD - New Zealand Dollar, SGD - Singapore Dollar, TRY - Turkish Lira, USD - US Dollar. Please contact our support team should you have further questions!

We are a group of companies. Do you offer special options for us?

Every separate entity requires representation according to Art 27 GDPR. Nevertheless, with the "medium-sized enterprise package" and the "large enterprise package" you have the option to sign up for a group package to manage the representation of your affiliates through one main account with sub-accounts for every affiliate. In the "medium-sized enterprise package", up to 5 entities are included. The "large enterprise package" offers unlimited entities. All included group entities must operate in the same industry, offer the same range of products and have the same or a linked brand.

How can I manage the representation?


What happens to incoming requests?

GDPR-Rep.eu filters and processes requests according to formal criteria in compliance with GDPR requirements.

Does GDPR-Rep.eu offer help with answering requests?

GDPR-Rep.eu is an automated SaaS solution provided by the iuro attorneys at law. iuro would be pleased to assist you in answering requests as individual bespoke legal service.

Is GDPR-Rep.eu one of my processors and where can I find the data processing agreement?

In case individuals contact GDPR-Rep.eu with requests addressed to you, GDPR-Rep.eu is processing personal data for you. The data processing agreement for this type of processing is attached to your Engagement Letter.

How can I manage more than one business?

Each of your companies has one account conveniently managed through your main account. Billing can either be centralized through your main account or done separately for each company.