GDPR EU Representative

GDPR EU Representative

Are you a non-EU organisation that falls under the scope of the GDPR (General Data Protection Regulation)?

Meet your Article 27 obligations with an annual subscription to our GDPR EU Representative service.

Enquire today
Price: £0.00
Excluding VAT

Appointing a GDPR representative in the EU

Under the GDPR, data controllers and processors that are based outside the EU but offer goods or services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in an EU Member State where those data subjects are.

The representative acts on your behalf in relation to your personal data processing activities, and acts as a local contact for data subjects and supervisory authorities.

The obligation to appoint a representative does not apply to:

  • Processing that is occasional, does not include large-scale processing of special categories of data or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons.
  • Public authorities or bodies.

GRCI Law’s GDPR EU Representative service

Using our annual subscription service, you will be supported by our qualified data privacy, legal and compliance team, which will serve as your EU representative, as set out in Article 27 of the Regulation.

We will:

  • Register our EU address as your GDPR representative address.
  • Be addressed on all issues related to your personal data processing activities.
  • Act as first point of contact for communications received from EU-based data subjects in relation to data subject rights requests and other general GDPR-related enquiries.
  • Act as first point of contact for communications received from EU supervisory authorities and liaise with them on all matters pertaining to the GDPR, e.g. responding to data subject rights complaints and personal data breach reporting.
  • Hold a record of your processing activities and make these available to the data protection authorities at their request.

Data protection if there’s no Brexit deal

On 13 September 2018, the UK government published a technical notice: Data protection if there’s no Brexit deal. It details the government’s plans for maintaining UK data protection legislation if the UK leaves the EU without an agreement – i.e. a ‘no deal’ scenario.

The notice highlights the importance of the free flow of personal data between the UK and the EU to maintaining the current economic relationship and ongoing cooperation on security, and confirms that both sides are committed to maintaining a high standard of data protection.

Appointing a GDPR representative in the UK

In the event of a no-deal scenario, the UK government will use the EU Withdrawal Act (which retains the GDPR (General Data Protection Regulation) in UK law and gives the government the power to make appropriate amendments to ensure the Regulation works effectively in a UK context) to make amendments to the applicable UK laws (e.g. the Data Protection Act 2018) to bring them in line with the GDPR, and adapt local law to suit local requirements – e.g. by replacing references to “Union or Member State law” with “domestic law” and substituting references to “decisions made by the EU Commission” with references to “decisions made by the UK Government”, etc.

The government calls this the ‘No Deal’ framework. The Department for Digital, Culture, Media & Sport has issued guidance outlining its key components – including UK representation for controllers.

UK representation for controllers

Where article 3(2) of the EU GDPR applies, article 27 of the EU GDPR requires a controller or processor not established in the EEA to designate a representative within the EEA. The requirement does not apply to public authorities or if the controller/processor’s processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.

The UK government intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK.

GRCI Law already acts as the EU representative for a number of non-EU-based controllers. We are able and ready to do the same for any non-UK-based controllers that need to appoint a UK representative in the event of a no-deal scenario.

Key Contacts




About us

Led by our management team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, we provide DPO, breach, data privacy management, and data subject access request support, and associated non-reserved legal services.

We offer legal risk and compliance consultancy advice that you can trust, but without the burden of administrative duties and expenses that law firms must bear in order to carry out certain ‘reserved legal activities’, such as litigation, conveyancing and advocacy.

Stay in touch

Stay up to date with the latest industry news on our blog.

Follow us on social media


Speak to an expert

If you have any queries or you’re unsure of how to progress, please get in touch with our team of experts who will be able to assist with your enquiry and provide guidance options.

Enquire today