Count on us for all your EU GDPR Representative requirements!

  • Get GDPR ready for the EU market by appointing us as your official GDPR Representative.
  • We can also serve as your company’s eyes and ears on the ground in the EU, keeping track of the newest GDPR compliance developments.
Untitled (Instagram Post) (2)

Count on us for all your EU GDPR Representative requirements!

Get GDPR ready for the EU market by appointing us as your official GDPR Representative. We can also serve as your company’s eyes and ears on the ground in the EU, keeping track of the newest GDPR compliance developments.

Trusted by hundreds of organisations across 42 countries, from small to large businesses

Get GDPR ready

Comply with GDPR requirements and enjoy EU-wide coverage. We are your first line of defence!

Grow your business

Gain the trust of your clients and partners, and demonstrate your commitment to data privacy.

Achieve Scalability

Benefit from one-stop-shop for security incident reporting under the EU GDPR.

Be Accurate

Our legal experts keep track of new legal requirements to ensure that your business is always in compliance.

Get GDPR ready

Comply with GDPR requirements and enjoy EU-wide coverage. We are your first line of defence!

Grow your business

Gain the trust of your clients and partners, and demonstrate your commitment to data privacy.

Achieve Scalability

Benefit from one-stop-shop for security incident reporting under the EU GDPR.

Be Accurate

Our legal experts keep track of new legal requirements to ensure that your business is always in compliance.

Features and Services

Certified Representative

Rely on your point of contact for data subjects in the EU.

Addressee for Authorities

Rely on expert knowledge in communicating with authorities.

Monthly Subscription

Pay as you go. Cancel anytime. No hidden fees.

Compliance Landing Page ​

Create a unique access point for all privacy related matters.

Customer Support

Get instant support from EU privacy professionals.

Knowledge Hub

Stay up-to-date on your GDPR compliance and recent policy changes.

Easy Documentation

Manage GDPR requirements for your privacy policy, RoPA, & more.

Add-On Services

Request data breach assistance and additional representation.

EU Wide Coverage

Tsaaro Netherlands Office: Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands

  • Schellinggasse 3/10, 1010 Vienna, Austria
  • Kriegerstraße 44, 30161 Hannover, Germany
  • 9 Clare Street, Dublin 2 D02 HH30, Ireland
  • Alcala 116 6 izquierda, 28009 Madrid, Spain
  • Rua Irmãos de Sousa, 9 – 201, 4715 – 246 Braga, Portugal
  • Alexander Zhendov Str. 1, fl. 6, office 38, 1113 Sofia, Bulgaria
  • Marshalllaan 2, unit 2.02, 2625 GZ Delft, Netherlands
  • Hovslagargatan 3, 111 96 Stockholm, Sweden
  • 30 – 32 Daniel Danielopolu Street, Bucharest, 014134, Romania
  • 27, rue Dumont d’Urville, 75116 Paris, France
  • 31B, Verkiu str., 2nd floor, Vilnius, Lithuania

Working Concept

1.

Sign-Up for your subscription and fill out your company information with just a few clicks.

2.

We assess your privacy requirements and notify you when we have verified your account to start your free trial.

3.

Log in to your client area and integrate your personalised GDPR-Rep privacy policy snippet into your website.

4.

Enjoy your GDPR-Rep services and demonstrate your privacy readiness to customers, partners, and authorities.

Working Concept

1.

Sign-Up for your subscription and fill out your company information with just a few clicks.

2.

We assess your privacy requirements and notify you when we have verified your account to start your free trial.

3.

Log in to your client area and integrate your personalised GDPR-Rep privacy policy snippet into your website.

4.

Enjoy your GDPR-Rep services and demonstrate your privacy readiness to customers, partners, and authorities.

Pricing

Startup

19.00€ /month

Founders with no employees

Micros

39.00€ /month

Micro (< 10 employees)

Small

79.00€ /month

Small (10-49 employees)

Medium

189.00€ /month

Medium (50-249 employees)

Large

480.00€ */month

Large (250+ employees)

Pricing

Startup

19.00€ /month

Founders with no employees

Micros

39.00€ /month

Micro (< 10 employees)

Small

79.00€ /month

Small (10-49 employees)

Medium

189.00€ /month

Medium (50-249 employees)

Large

480.00€ */month

Large (250+ employees)

What's Not Included

What's Not Included

Frequently Asked Questions on GDPR-Rep

Does our company need an Art 27 GDPR representative in the EU?

Which companies need an EU representative?

Companies established outside the EU are required to appoint an EU representative according to Art. 27 of GDPR if they:

 
    • offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or

 
  • monitor their behaviour (e.g. cookie profiling).

According to the Guideline 3/2018 of the European Data Protection Board (EDPB) on the territorial scope of GDPR, this applies to both controllers and processors. For processors not established in the European Union the applicability of GDPR depends on what the “processing activities” are related to. If the data processing conducted for the controller is related to the offering of goods and services or to the monitoring of behaviour, GDPR applies to the processor in addition to the controller. 

Case 1: Online Gaming: You are an online gaming company located outside the EU and offer your games to data subjects in the EU free of charge. When using your games you analyse the data subjects' geolocation data, web-browser data and history, and show ads based on this data. As you target the EU market by offering your games and monitoring the users' behaviour you are legally required to appoint a GDPR Representative physically established in an EU member state to remain compliant. Violations of the EU GDPR can lead to substantial fines by authorities and exclusion from business activities in the EU.
Case 2: B2B SaaS: You develop CRM software and offer it as a SaaS product to companies, which are either targeting the EU without an establishment or which are located in the EU. Because your business clients are targeting EU data subjects and your CRM software product is processing and storing their data, you are also required to appoint a GDPR Representative physically established in an EU member state. It is likely that your business clients in the EU will also require you to appoint a representative and enter into a data processing agreement. You can establish trust by already being GDPR compliant during the negotiation phase with your business clients.

Are there any exemptions from the obligation to appoint an EU representative?

According to Art 27 GDPR, controllers or processors are exempted from the regulation if ALL of the following criteria are met:

 
    • personal data is only processed occasionally, which is only from time to time and non-systematic; AND

 
    • data processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences; AND

 
  • data processing is unlikely to result in a risk to the rights and freedoms of data subjects.

It is hard to meet ALL of these criteria, in particular the criterion of processing data only occasionally proves to be a big hurdle for most businesses.

Does my company offer goods and services to individuals in the EU?

Your company's intention to establish commercial relations with EU customers needs to have manifested in a business activity. The mere accessibility of a website in the EU, a mention on the website of an e-mail or geographical address, or of a telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the intention to offer goods or services to EU customers. The EDPB listed the factors to be taken into account when assessing if goods and services are offered in its Guideline 3/2018 on the territorial scope of GDPR. Some of the factors are:

 
    • using languages of EU Member States, or offering payments in a currency of an EU Member State;
 
    • using Google or Facebook ads to address the EU market, or any other marketing activity directed towards EU customers;
 
    • mentioning EU references or testimonials;
 
    • the activity at hand being of an international nature, such as certain tourist activities;
 
    • mentioning dedicated addresses or phone numbers to be reached from an EU country;
 
    • use of EU top-level domains;
 
    • description of travel instructions from one or more other EU Member States to the place
      where the service is provided;
 
  • offering the delivery of goods to EU Member States;

In a nutshell, if your company has any outbound activity in the EU or if your company enables or guides EU customers to find your company's product, GDPR is likely to apply.  

Case 1: A website, based and managed in Turkey, offers services for creating, editing, printing, and shipping personalised family photo albums. The website is available in English, French, Dutch, and German, and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by mail in the UK, France, Benelux, and Germany.
Case 2: A Swiss University offers summer courses in international relations and specifically advertises this offer in German and Austrian universities in order to maximise the courses’ attendance. In this case, there is a clear intention from the Swiss University to offer such services to data subjects who are in the European Union, and GDPR will apply to the related processing activities.

Does my company monitor the behaviour of EU data subjects?

Not all online collection or analysis of personal data of individuals in the EU counts automatically as “monitoring”. Monitoring the behaviour of EU data subjects implies an intention to collect data for a specific purpose. Therefore, any kind of tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques qualifies as 'monitoring'. Again, the EDPB gives some more guidance in the Guidelines 03/2018. According to the EDPB, monitoring may not only take place in the internet but also through wearables and other smart devices. Monitoring activities include:

 
    • Behavioural advertisement
 
    • Geo-localisation activities, in particular for marketing purposes
 
    • Online tracking through the use of cookies or other tracking techniques such as fingerprinting
 
    • Personalised diet and health analytics services online
 
    • CCTV
 
    • Market surveys and other behavioural studies based on individual profiles
 
  • Monitoring or regular reporting on an individual’s health status
Case 1: A marketing company established in the US provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking.  
Case 2: An app developer is established in Canada with no establishment in the European Union and uses a processor established in the US for optimisation and maintenance of the app, however it also monitors the behaviour of data subjects in the European Union. The developer is therefore subject to GDPR, as per Article 3(2)b.

What fine may be imposed for non-compliance?

The GDPR extends its 'territorial scope' to controllers and processors that have their registered office in a country outside of the EU. As a result, the exorbitantly high penalties of up to €10 million or 2% of the worldwide annual turnover can apply if a processor or a controller does not comply with the obligation of appointing an EU representative. The penalties may be enforced by individual claims or by authorities. Furthermore, your partners in the EU may be obliged to stop transferring data to your company.

What should I look for in an EU Representative? And what is Tsaaro’s approach?

What are the responsibilities of the representative?

The representative shall act as an addressee for authorities and data subjects to facilitate the communication with processors and controllers outside the EU. The representative needs to be mandated in writing by the controller or processor to evidence the appointment. Furthermore, the representative shall, according to Art 30 GDPR, maintain the records of processing activities and shall make the record available to the supervisory authority on request.

How has Tsaaro's business model been designed to meet these requirements?

  •  
    • A written appointment is part of the onboarding flow. Clients can sign a Power of Attorney directly online in an end-to-end digital process; and
 
  • Currently we assist clients in the drafting of records of processing activities by providing prefilled templates along with extensive support and guidance.

Where should a representative be located?

First of all, the EDPB clarifies in its Guideline 03/2018 on territorial scope that only one representative needs to be appointed in an EU Member State, which can then serve for all other Member States. In the event that a significant proportion of the customer base is in one particular Member State it is best practice that the representative is established in this Member State. In any case, the representative will be easily accessible for data subjects in all Member States no matter where the representative is located.

  • professionals in every location.

Does my company monitor the behaviour of EU data subjects?

Not all online collection or analysis of personal data of individuals in the EU counts automatically as “monitoring”. Monitoring the behaviour of EU data subjects implies an intention to collect data for a specific purpose. Therefore, any kind of tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques qualifies as 'monitoring'. Again, the EDPB gives some more guidance in the Guidelines 03/2018. According to the EDPB, monitoring may not only take place in the internet but also through wearables and other smart devices. Monitoring activities include:

 
    • Behavioural advertisement
 
    • Geo-localisation activities, in particular for marketing purposes
 
    • Online tracking through the use of cookies or other tracking techniques such as fingerprinting
 
    • Personalised diet and health analytics services online
 
    • CCTV
 
    • Market surveys and other behavioural studies based on individual profiles
 
  • Monitoring or regular reporting on an individual’s health status
Case 1: A marketing company established in the US provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking.  
Case 2: An app developer is established in Canada with no establishment in the European Union and uses a processor established in the US for optimisation and maintenance of the app, however it also monitors the behaviour of data subjects in the European Union. The developer is therefore subject to GDPR, as per Article 3(2)b.

What fine may be imposed for non-compliance?

The GDPR extends its 'territorial scope' to controllers and processors that have their registered office in a country outside of the EU. As a result, the exorbitantly high penalties of up to €10 million or 2% of the worldwide annual turnover can apply if a processor or a controller does not comply with the obligation of appointing an EU representative. The penalties may be enforced by individual claims or by authorities. Furthermore, your partners in the EU may be obliged to stop transferring data to your company.

What is the difference between a DPO and an EU GDPR representative?

When do I need a DPO and when do I need a representative?

You are obliged to appoint a data protection officer (DPO) if your company meets one of the following three criteria:

 
    • the processing is carried out by a public authority or body (except for courts acting in their judicial capacity);

 
    • the core activities of your company consist of processing operations which, by virtue of their nature, their scope and/or their purpose, require regular and systematic monitoring of data subjects on a large scale; or

 
  • the core activities of your company consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

More information regarding how the criteria are interpreted is outlined in the Guideline of the Art 29 Working Party on Data Protection Officers. In comparison to the requirements for appointing a DPO, a GDPR representative is needed when offerings goods and services or monitoring EU data subjects.

In a nutshell: the criteria for the requirement of a DPO reflects a higher risk involved with certain processing activities, whereas the requirements for a EU GDPR representative are triggered when your company’s processing of personal data of individuals located in the EU is noticeable.

What is the position of a DPO compared to an EU GDPR representative?

A Data Protection Officer (DPO) shall be involved in all issues related to the protection of personal data in a company. The role of a DPO is also to monitor the company’s compliance with GDPR, assist in data protection impact assessments, and to advise the management on privacy by design and privacy by default as well as all other privacy related matters. Hence, a DPO needs to be close to the company and needs to be involved in the day-to-day business. Whenever possible, the DPO shall be located in the region of the company’s headquarters.

In comparison, the EU GDPR Representative is by nature operating at a distance when representing the company due to the lack of an establishment in the EU. The representative is therefore a substitution for a subsidiary, branch, or other establishment.

Can a DPO also be an EU GDPR representative or vice versa?

No, there is a conflict of interest between the roles of DPO and GDPR representative. The EDPB states in its Guideline 3/2018 on the territorial scope that there is a possible conflict of obligation and interests in cases of enforcement proceedings, and because of this the EDPB does not consider the function of a representative in the EU to be compatible with the role of data processor for the same company, in particular when it comes to compliance with the respective responsibilities and compliance of a DPO and a representative.