EU Representative – Art. 27 GDPR

EU Representative according to Art. 27 GDPR

As you will be aware, effective May 25th, 2018, the new General Data Protection Regulation imposes a new set of rules, one of which is the obligation to designate a EU-Representative when doing business within the EU – regardless of one’s own location. Only one Representative is required for all of the EU.

Who needs a Representative?

You do. When you are offering goods or services within the EU but are located abroad or when you are tracking the behavior of persons residing in the EU, you will need a Representative. However, you are exempt from this obligation if you process data only occasionally and you do not deal with large-scale processing of „special categories“ of personal data.

Special categories are defined in Art. 9 (1) GDPR: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, …and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” There are, of course, exceptions.

Thus, a EU Representative will be required for any company within the adult entertainment business as these companies on occasion collect user data such as images or, via his or her behavior on a site, know about his or her sexual orientation.

It ensures also that EU citizens will be able to contact the controller (you) outside of Europe that hold their personal data, without having the potentially difficult and costly effort required to contact them at their base.

Failure to comply

Failing to comply may result in harsh fines (Art. 83 GDPR) up to 10 million euros. It may also be considered as unfair competition not to comply which may result in expensive law-suits in Germany or other EU-countries.

How do I mandate a Representative?

The attorneys of our firm serve as EU-Representatives according to Art. 27 GDPR. Dr. Daniel Kötz is a certified Data Protection Officer and serves as a designated DMCA-Agent for several companies wishing to comply with U.S. law, but who do not reside within the country. He is now also Representative for companies residing in the U.S. and other countries. Dr. Kötz has been a member of the First Amendment Lawyers Association for more than a decade.

Designation will take place in writing; the document (contract) contains our tasks. You’ll have our name on your site as your Representatives. The GDPR requires you to name your Representative in your published, online privacy policy.

What are the tasks of the Representative?

Our task will mainly be to serve as a contact within the EU for any supervisory authority. We will receive legal documents and act on your behalf (the scope of our duties on your behalf will be carefully agreed to and documented in an agreement between us before we undertake your representation). Furthermore, we have to keep the record processing activities and your responsibility (see Art. 30 (1) GDPR) for you. We are your agent when a person (data subject) makes a request.


While other companies charge up to ca. 2,700.00 euros per year for companies with annual sales up to 24m USD, we charge much less for small companies. Simply  send us an e-mail and we’ll be glad to inform you about costs and more!

Further information can be found in Recital 80 of the GDPR.