GDPR Representative Service tiers
1 – 10
£750 annually when you buy online
£1,250 annually when you buy offline
11 – 250
£1,250 annually when you buy online
£1,750 annually when you buy offline
251 – 500
£1,750 annually when you buy online
£2,250 annually when you buy offline
501+ employees or
Under the EU GDPR, data controllers and processors outside the EU offering goods or services to, or monitoring the behaviour of, data subjects in the EU need to consider appointing an EU representative. There are limited exceptions to this, depending on the volume and type of data you are processing or whether you are a public body or authority. However, the extent to which exceptions apply has not yet been tested.
The EU GDPR representative acts as a local contact for data subjects and supervisory authorities in relation to all issues arising from the processing of personal data.
Our annual subscription service is delivered by IT Governance Europe, which will serve as your EU representative, in compliance with Article 27 of the EU GDPR. IT Governance Europe is incorporated and based in the Republic of Ireland.
Non-UK-based data controllers need to appoint a UK representative for dealing with UK data subjects from 1 January 2021 when the transition period ended.
The UK representative acts as a local contact for data subjects and the UK’s data protection authority, the ICO (Information Commissioner’s Office).
Still not sure if this service is right for you? Read our frequently asked questions or take advantage of our EU and UK GDPR Representative Advice Service.
This service applies to single-entity organisations with between 1 and 500 staff. The service can be delivered to organisations in any sector or industry.
For organisations with more than 500 employees or multiple entities, we can provide a bespoke solution to meet your requirements. Please contact us to discuss your needs.
Please note that this service does not include advice or guidance on Article 30 records of processing activities.
Our administrative costs of processing an online purchase are much lower than for an offline purchase and we pass those savings on to you.
The EU representative’s role is to ensure that individuals (data subjects) and data protection authorities (supervisory authorities) have a mechanism which allows them to communicate with organisations. A key driver behind this is to make sure that EU citizens will be able to contact the data processors and controllers outside Europe who hold their personal data in a quick, efficient and simple way.
Put simply, under Article 27 of the EU GDPR if your organisation has no business presence in Europe ( - the 27 members states of the European Union as well as Iceland, Norway and Lichtenstein in the European Economic Area -) you need to appoint an EU representative if:
Monitoring or “profiling” within the GDPR framework means anything you do that involves the automated analysis or predicting of behaviour of individuals, their movements, personal preferences, health, economic situation etc.
There are limited exceptions to this, depending on the volume and type of data you are processing or whether you are a public body or authority. However, the extent to which exceptions apply has not yet been tested.
The requirement to put an EU representative in place has been a requirement for organisations based outside Europe since the introduction of GDPR. What has changed, is that since the 1st January 2021 the UK is no longer a member state of the European Union so UK based organisations that don’t have a business presence in Europe but are marketing to Europe or monitoring the behaviour of people in Europe now need an EU representative.
As details of the EU representative need to be easily accessible, typically in your privacy documentation, - for example your customer facing privacy notice or published on your website - it is obvious if you have failed to meet your Article 27 obligations. If you are in breach of Article 27 you may face fines of up to ten million Euros or 2% of your global turnover.
We act as a communications conduit between data subjects and your organisation and data protection authorities and your organisation, provide you with an EU representative email address and wording to insert into your privacy notice (s) and hold an up to date copy of your Article 30 record of processing activities, as required by Article 27. We pass any enquiries from data subjects or data protection authorities to you to deal with.
This is an annual fixed fee service. Our pricing is based on the size of the organisation and we charge per entity.
We can provide an EU representative for all group entities, but we charge based on the number of entities that need to be included.
Our EU representative service is based in the Republic of Ireland. It is provided by our sister company IT Governance Europe Limited. .
Generally, an EU Representative is appointed in the EU member state where the majority of your customers or clients reside. However, given the global nature of the internet and the possibility of processing customer data from the whole EEA there appears to be no restrictions on hosting your EU representative in one member state.
No, we charge a flat fixed fee based on the size of your organisation.
We don’t offer translation services. We pass any enquiries from data subjects or data protection authorities to you in the language we received them.
It is not required under the regulation but you need to make details of your EU representative easily accessible, for example in your privacy notice or by publishing details on your website.
he Article 30 record is a key document for GDPR compliance and should document what data you are processing and why, where data is stored, the volume of data you are dealing with and how it is moving through your organisation. If don’t have an accurate picture then you may not be aware of where your compliance gaps are and where you might be in breach of the GDPR. You also need to have one readily available in case a data protection authority asks to see it.
The exemptions are very limited and haven’t been fully tested. Without an accurate and up to date record of processing activities it is difficult to be assured that you are compliant. It is best practice to have one and we strongly recommend all clients have one and keep it up to date.
The GRCI Law team can help you with this but it is not included in this service. We would be happy to talk to you about your specific requirements.
Ideally, as soon as you sign up or as soon as possible.
We pass all enquiries from data subjects to you to deal with along with any enquiries from data protection authorities.
We would contact you first before responding to a request from a Supervisory Authority.
Enjoy the benefits of paying by purchase order with a GRCI Law corporate account. Apply online today or call our service centre team on +44 (0)333 900 5555.
We are a specialist consultancy firm offering a full suite of data protection, privacy, cyber risk and information security legal and compliance solutions and associated non-reserved legal services. Our clients operate globally in a wide range of sectors including health and social care, education, professional services, retail, technology, media and telecoms.
We are market leaders in terms of depth and breadth of experience. Our team of lawyers, DPOs (data protection officers) and cyber incident response experts have decades of experience and sector-specific knowledge between them.
We offer legal risk and compliance consultancy advice that you can trust, but without the burden of administrative duties and expenses that law firms must bear to carry out certain ‘reserved legal activities’, such as litigation, conveyancing and advocacy.
Christina Maclean – Managing Executive
Christina has overall responsibility for the running of GRCI Law. She oversees commercial strategy, client relationship management, product development and new business. She has a track record of driving growth through evidence-based strategy and providing excellent client service. She is a non-practising solicitor with a background in business development, marketing, communications and broadcast media.
Loredana Tassone – Managing Consultant, Head of EU & UK Representative Service
Loredana oversees operations, service delivery, and management and development of the consultant team. She has more than 15 years’ experience in the fields of privacy rights, data protection and cyber security in both the private and public sectors. She is a specialist in international and European law, and a qualified attorney at law in France and Italy. Based in Brussels, she advises GRCI Law clients on a wide range of data privacy issues. She is a certified GDPR consultant, DPO and trainer, and has worked at the European Court of Human Rights, at the Directorate General of Human Rights and Legal Affairs of the Council of Europe, and for international law firms in the EU.
If you have any queries or you’re unsure of how to progress, please get in touch with our team of experts who will be able to assist with your enquiry and provide guidance options.