GDPR Representative in the EU article 27 GDPR designation

Datadiem is your GDPR Representative in the European Union.

Datadiem provides a GDPR Representative in the EU service in accordance with Article 27 of the GDPR . It only takes a short time to contact us and comply with your obligation.

You benefit from our expertise and our tools with no commitment in time . Our goal is to support you in developing your business and entering the European market in accordance with the legislation on the protection of personal data.

    Let’s talk about appointing your GDPR Representative in the EU

    Why choose Datadiem as GDPR Representative?

    Compliance with legislation

    In order to comply with article 27 of the GDPR, thus minimizing the risks of sanctions and litigation, let’s appoint Datadiem as GDPR Representative in the EU.

    Simplicity

    There aren’t many crucial yet easy-to-implement GDPR requirements. Just sign up, no credit card and no commitment, and Datadiem takes care of the rest.

    Transparent pricing

    A package adapted to each size of company and any type of organization, without additional calculation parameters, without additional cost, an exhaustive description of the Datadiem 27 representation service.

    Truly non-binding

    The Datadiem 27 GDPR representation offer is a non-binding monthly plan, you can stop at any time and the easiest way in the world.

    Privacy and GDPR experts

    You benefit from the experience and assistance of GDPR experts, CIPP/E certified by the International Association of Data Protection Professionals IAPP, Datadiem 27 is a solution for global representation, legal and technical compliance.

    Human approach

    Datadiem 27 uses automation and the best technologies in terms of data protection, however when it comes to exchanging with our customers, we favor a direct and human relationship.

    Questions and answers relating to the appointment of a GDPR representative in the EU?

    In which cases is it mandatory to appoint a representative in the European Union according to Article 27 of the GDPR?

    It is mandatory to appoint a GDPR representative only in certain cases. The General Data Protection Regulation (GDPR) specifies the general principle according to which companies which are not present on the territory of the European Union (directly or indirectly, in particular via a subsidiary, branch, representative office or other form of establishment) and which, on the other hand, target individuals in the European Union (by offering them goods or services) or which monitor the behavior of the latter, must appoint a representative.

    What is the mission of the GDPR representative in the European Union?

    The GDPR clearly provides the scope of the mission of the GDPR Representative in the EU and his obligations: the representative is the point of contact for the supervisory authorities (the CNIL in France) as well as for the persons concerned wishing to exercise their rights, in addition he keeps register of all the processing operations on personal data carried out in the territory of the EU.

    What is the responsibility of the GDPR representative vis-à-vis the controller or processor?

    The question of the responsibility of the GDPR representative is of course often addressed on the basis of the Regulation, but it is important to remember that other sources specify the extent of his responsibility. Beyond the obligations of the GDPR, the representative is engaged in a contractual relationship vis-à-vis his client in the form of a mandate. The representation service is not limited to a simple declaration to the CNIL, the scope of the mission and the responsibilities must be specified in writing in a mandate, in order to clarify the obligations of the principal (the representative) and of his agent. (the customer).

    It is necessary to dispel a recurring ambiguity concerning the responsibility of the GDPR representative: the Representative is not intended to play the role of firewall for his client, in the event of a breach involving the responsibility of the client, the latter cannot systematically take refuge behind the mandate of representation and the responsibility of his representative.

    “The appointment of a representative […] is without prejudice to legal actions that could be brought against the data controller or the processor himself ”.

    Thus, in the event of a security breach involving the liability of a data controller or a subcontractor established outside the EU, a supervisory authority such as the CNIL will first turn to the authorized representative, who assumes his mission as a point of contact with the authority. In a second step, the authority will seek to establish the sharing of any responsibilities between the principal and his agent, in particular in the light of the legal obligations of the representative but also of the obligations provided for in the mandate.

    Respect for the principles of transparency and reciprocal collaboration between the two parties will be taken into account to assess each party’s responsibility. For example, the representative has a legal obligation to keep a register of his client’s activities, however if the CNIL finds a serious breach such as the omission of a processing sheet deemed to be essential in the register, it will investigate whether the processing in question has been transparently brought to the attention of the representative or if this processing activity has been concealed from him.

    What information must appear on a GDPR representative mandate?

    Regarding the mandate of representative article 27 of the GDPR, it is advisable to include the following information: the identity of the parties and their capacity as principal or agent, if the client acts as data controller and/or subcontractor, duration of the mandate, information relating to the scope of the mission and reminder of the legal obligations of the representative (contact point for the CNIL, contact point for the persons concerned wishing to exercise their rights, keeping of the register of activities according to the information provided by the client), remuneration for the GDPR representation service (see the answer given to the question “price of a GDPR representative service in the European Union?”), reminder on the distribution of the responsibilities of the parties in the event of a dispute, mention of the Representative’s general conditions of service.

    Can the GDPR representative be also designated DPO?

    The GDPR representative cannot be DPO of the same entity, the incompatibility is justified by the existence of a conflict of interest between the two functions. On the other hand, it is quite possible for a compliance professional to offer services of DPO as well as GDPR Representative for separate entities when any risk of conflict of interest is ruled out.

    What is the price of a GDPR representative service in the European Union?

    The cost of the GDPR representative service for a foreign company can take into account several methods of calculation: start-up costs such as file opening fees , monthly or annual recurring fees for the designation with the CNIL, then depending on the services performed (maintenance of the register, response to the persons concerned, etc.) remuneration (lump sum or according to an hourly rate). On the other hand, the risk exposure of the company is often taken into account in the calculation of the remuneration of the representative. The criteria used to assess this risk are generally the size of the company (according to the number of employees, the number of subsidiaries, the countries covered), the type of data processed (presence of particularly sensitive data categories) according to of the sector of activity (for example concerning the health sector), the number of data subjects likely to exercise their rights.

    What are the criteria for choosing a GDPR representative in the European Union?

    First of all you have to make sure, as for the choice of your DPO, that your GDPR representative is an expert in GDPR compliance. His mission implies an in-depth knowledge of the regulations, he represents you before the supervisory authority and manages the requests of the persons concerned by your processing. The mission of the representative is therefore not simply administrative, in the event of an inspection by the CNIL or even a dispute, the answers provided by the latter often prove to be decisive on the progress and the outcome of the procedures initiated against your company. Also remember that if your representative cannot be your DPO at the same time, he can still give you valuable advice. Of course the availability of the GDPR representative is an important criterion, as with any mandate, communication must be simple and quick. In the same vein, it is necessary to ensure the procedures for exchanging information, for example verifying that the data processing sheets can easily be updated, that the management of notifications and requests from the persons concerned are technically mastered . The GDPR representative must be able to provide his insurance certificate covering his activity as “RGPD representative article 27 of the GDPR” (not only DPO). This list of selection criteria for your GDPR Representative is not exhaustive.

    Should a group of companies designate a GDPR representative in the European Union for each entity?

    What is the procedure for appointing a GDPR representative in the European Union?