Boost your
GDPR compliance
RIVACY offers an outsourced EU, UK & Swiss Data Representation Service, which is required by European law for all businesses that are selling Goods or Services into Europe from the outside or are processing personal data of European residents.
Protection Officers and Auditors
are certified by TÜV.
of legal experts and expand your reach across borders.
Data Representation Services pursuant to GDPR & FADP
Protect yourself from receiving fines from European Data Protection or Supervising Authorities, improve data privacy services to your customers and make your organization more efficient – only properly deployed and reliable GDPR & FADP Data Representation Services are effective for your business in the long run.
EU Data Representative pursuant to GDPR
UK Data Representative
pursuant to UK GDPR
UK Representation Service for the United Kingdom performed from our London office.
Swiss Data Representative pursuant to FADP
Swiss Data Representative Service is provided by an experienced team of specialists from our modern office in the heart of Zurich.
DPO-Service
Data & Privacy
For companies in Germany, we offer outside DataProtection Officer services.
Your
benefits
RIVACY’s value proposition is aimed at increasing your customer satisfaction, streamlining your processes and minimizing your business risk:
Efficient Compliance and Data Privacy Processes
RIVACY guarantees a reliable service level dealing with Data Privacy requests from Supervising Authorities as well as your customers.
You don’t have to hire and train staff or create processes for handling requests in the European Union, Switzerland or the United Kingdom because RIVACY will do it for you. They will monitor requests and provide resources when needed, which saves your company money and allows you to focus on other tasks.
Increased customer satisfaction
RIVACY is an intermediary service that helps organizations handle data privacy request from European residents (your customers) in a compliant and professional manner. This leads to increased customers satisfaction with how data privacy requests are handled.
Mitigating risk of
receiving fines from supervising authorities
If your company gets contacted by a European Supervising Authority or you experience a data breach, our experts will help you to communicate effectively with local data protection authorities. This will keep the strain on your internal resources to a minimum while RIVACY experts will expertly guide you through the process. Your risk of further investigations or receiving fines will be reduced considerably.
Why Rivacy?
Since the launch of the General Data Protection Regulation, RIVACY has been offering the EU Data Representative service pursuant to GDPR for the entire territory of the European Union to clients from all over the world from its headquarters in Hamburg, Germany.
Since Brexit, we also offer UK Data Representative service pursuant to UK GDPR from our London office.
Since 2023, RIVACY Switzerland GmbH helps customers from all over the world to comply with the Swiss Federal Act on Data Protection (Swiss DPA).
- If you choose RIVACY, you are choosing a team that has experience working with German Supervisory Authorities who have strict standards when it comes to data protection and privacy laws.
- RIVACY boasts a wealth of industry knowledge across diverse sectors, making us the go-to choice for leading law firms in Europe and the USA. Trust in our expertise to safeguard your privacy needs with utmost professionalism.
- RIVACY offers a pricing system that is based on the number of inquiries rather than having specific restrictions or surprises related to datasets, employees, users and data sensitivity.
Our Service
Data Representation Service in the entire EU, UK & Switzerland
EU Data Representation Services in all EU countries as well as in the UK.
Compliant communication of data breaches
Compliant communication with Data Protection Authorities regarding data breaches.
Guaranteed
SLA
Guaranteed service level monitoring inquiries and requests regularly as well as response time.
Handling Data Privacy requests from individuals
Engaging in Data Privacy requests from customers on personal date matters, including deleting, restricting or general access.
Inquiries from Supervising & Data Protection Authorities
Engaging in Data Privacy inquiries from local Supervising or Data Protection Authorities and communicating with your internal teams.
Access to
expert knowledge
Promotion, exchange of experience at the highest level and sample solutions for handling concerns of affected persons and individuals as well as inquiries from regulatory authorities. If required: access to external legal offices for additional legal support.
Access to translation service
Translation of data subject requests or inquiries from authorities into English.
Record of Processing Activities (RPA)
Review of your RPA and sharing of best practices as well as secure record retention.
Do you need assistance ensuring your company's GDPR compliance?
Frequently asked questions
We have answered some of the most frequently asked questions about the tasks of an external data protection officer here. If you have more specific or special questions, please feel free to contact us.
An EU Data Representative is a mandatory contact person pursuant to the General Data Protection Regulation (GDPR) of the European Union. (Acc. to Art 27 GDPR). The Representative acts as contact person for EU-based Supervisory Authorities and EU residents on all issues relating to a company’s processing of personal data.
The appointed EU Representative can be a person or company and should have a broad understanding of the relevant legal and technical data protection issues in order to be able to communicate with the authorities and individuals efficiently about Data Privacy issues.
The GDPR applies already when a non-EU Company offers goods or services (even if for free) to individuals in the EU or processes or stores personal data.
The threshold is very low: offering services to the EU via a website directed to EU users (e.g. because goods/services are delivered to the EU, EU currency is accepted or EU languages are used) will trigger the requirement to appoint an EU Representative.
The same applies to collecting personal information of EU residents: GDPR applies if cookies are collected, IP addresses captured or any other personal information are either stored or processed (Art. 3 sec. 2 UK GDPR).
Typical examples are: an online shop that sells goods into any of the EU countries, an online gaming company that offers their services to EU residents, a tech company offering SaaS Services, or a pharma company that conducts research in the EU.
The EU Data Representative needs to be physically established in one of the EU member states where the individuals affected are located. It is not necessary to appoint an EU Data Representative for each EU member state.
If your company only processes data of residents of a specific EU member state, then it would make sense to appoint a Representative in that respective country.
If you have an establishment in the EU you still need to comply with GDPR, which requires you to appoint a person to act as an EU Data Representative as well as introducing all measures required under GDPR. The EU Data Representative can be appointed internally or externally.
Very much so. Outsourcing the service will relieve you of the necessity to train personnel with the required knowledge and thus interfering with their actual work. Furthermore, the agreed service time is observed and the correct approach to the inquirer is maintained. By using an intermediary, you convey to your customers and the Authorities that you take the issue of data protection seriously. This may lead to a higher level of trust. In total the external service may costs you less compared to constantly train and make available internal staff.
- The contact details of the EU Data Representative need to be publicly available (i.e. through your website).
- The EU Data Representative handles incoming requests from individuals and Supervising Authorities.
- The EU Data Representative maintains and makes available the Record of Processing Activities Document to Supervising Authorities (Acc. to Art. 30 GDPR).
- Supports communicating Data Breaches with your assigned Data Protection Authority in Europe. Please note: you have to communicate Data Breaches within 72 hours to Supervising Authorities (acc. to Art. 33 GDPR)
The draconian penalties in the triple-digit million region mainly affect large tech giants.
Smaller companies are also fined heavily by the numerous Data Protection Supervisory Authorities (almost 50!) in the event of a violation.
The GDPR allows supervisory authorities to impose fines of up to 10,000,000 Euro or 2 per cent of the company’s annual turnover — whichever is higher.
The Dutch DPA imposed a 525,000 Euro fine for not appointing an EU Data Representative under Art. 27 GDPR. Additionally, the DPA imposed an order subject, obligating the company to appoint a European representative, any further non-compliance resulting in a 20,000 Euro fine every two weeks up to a maximum of 120,000 Euro.
A Data Protection Officer (DPO) is the person designated to facilitate and assess a company’s compliance with the provisions of the GDPR. An EU Data Representative (pursuant to GDPR) is the person designated to represent companies that are not based in the European Union regarding their obligations under the EU GDPR (acc. to Art. 27 GDPR)
The EU Data Representative performs various services:
- To start with, the EU Data Representative does a sanity check with the Record of Processing Activities and keeps it on behalf of the client. If required, the EU Data Representative can assist you in preparing the Records or refer their customer to a suitable party through our worldwide network of lawyers.
- On a daily basis, the Representative constantly monitors incoming data privacy requests from individuals or EU Supervising Authorities on your behalf. These could be: requests to delete, change or restrict processing of personal data for an individual, incoming inquiries from local police departments or from Data Protection Authorities following up complaints from third parties about the processing of personal data of your company or investigations. The EU Data Representative will work with your Legal and Data Privacy team to handle all communication with the end client and the relevant authorities with urgency, care and according to applicable Data Privacy standards.
- In case of a data breach you need to communicate this matter to the relevant Data Protection Authority. RIVACY employees will guide you with best practices. Under pre-agreed conditions, RIVACY will also perform the first communication with Data Protection Authorities within the required 72 hours (Acc. to Art. 33 GDPR).
The Record of Processing Activities (or RPA, RoPA) is an inventory of data processing and provides an overview of what you do with the concerned personal data. It is mandatory obligation and set out in Article 30 of the EU General Data Protection Regulations. It is a tool to help you comply with the Regulations. This document is kept by the EU Data Representative and is to be made available to Supervisory Authorities upon request.
Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
As a small example, all sessions that a web page collects are personal data – enormous amounts of data can quickly accumulate here and become a potential risk.
Across our client base there is an 85 per cent probability of receiving an inquiry from an individual (likely one of your clients) regarding the processing of personal data. The likelihood to receive an inquiry from a Supervising Authority is 5 per cent, and the necessity to communicate with a Data Protection Authority regarding a data breach is 3 per cent.
Yes we can. Simply contact us for a quote.
An UK Data Representative is a mandatory contact person pursuant to the UK General Data Protection Regulation (Acc. to Art 27 UK GDPR). The Representative acts as contact person for UK-based Supervisory Authorities and UK residents on all issues relating to a company’s processing of personal data.
The appointed UK Representative can be a person or company and should have a broad understanding of the relevant legal and technical data protection issues in order to be able to communicate with the authorities and individuals efficiently about Data Privacy issues.
An UK Data Representative is a mandatory contact person pursuant to the UK General Data Protection Regulation (Acc. to Art 27 UK GDPR). The Representative acts as contact person for UK-based Supervisory Authorities and UK residents on all issues relating to a company’s processing of personal data.
The appointed UK Representative can be a person or company and should have a broad understanding of the relevant legal and technical data protection issues in order to be able to communicate with the authorities and individuals efficiently about Data Privacy issues.
An UK Data Representative is a mandatory contact person pursuant to the UK General Data Protection Regulation (Acc. to Art 27 UK GDPR). The Representative acts as contact person for UK-based Supervisory Authorities and UK residents on all issues relating to a company’s processing of personal data.
The appointed UK Representative can be a person or company and should have a broad understanding of the relevant legal and technical data protection issues in order to be able to communicate with the authorities and individuals efficiently about Data Privacy issues.
The UK GDPR applies already when a non-UK Company offers goods or services (even if for free) to individuals in the UK or processes or stores personal data.
The threshold is very low: offering services to the UK via a website directed to UK users (e.g. because goods/services are delivered to the UK, GBP are accepted) will trigger the requirement to appoint a UK Data Representative.
The same applies to collecting personal information of UK residents: UK GDPR applies if cookies are collected, IP addresses captured or any other personal information are either stored or processed (Art. 3 sec. 2 UK GDPR).
Typical examples are: an online shop that sells goods into the United Kingdom, an online gaming company that offers their services to UK residents, a tech company offering SaaS Services, or a pharma company that conducts research in the UK.
The UK Data Representative needs to be physically established in the United Kingdom.
If you have an establishment in the UK you still need to comply with UK GDPR, which requires you to appoint a person to act as a UK Data Representative as well as introducing all measures required under UK GDPR. The UK Data Representative can be appointed internally or externally.
Very much so. Outsourcing the service will relieve you of the necessity to train personnel with the required knowledge and thus interfering with their actual work. Furthermore, the agreed service time is observed and the correct approach to the inquirer is maintained. By using an intermediary, you convey to your customers and the Authorities that you take the issue of data protection seriously. This may lead to a higher level of trust. In total the external service may costs you less compared to constantly train and make available internal staff.
- The contact details of the UK Data Representative need to be publicly available (i.e. through your website).
- The UK Data Representative handles incoming requests from individuals and Supervising Authorities.
- The UK Data Representative maintains and makes available the Record of Processing Activities Document to Supervising Authorities (Acc. to Art. 30 UK GDPR).
- Supports communicating Data Breaches with your assigned Data Protection Authority. Please note: you have to communicate Data Breaches within 72 hours to Supervising Authorities (acc. to Art. 33 UK GDPR).
The draconian penalties in the triple-digit million region mainly affect large tech giants.
The UK GDPR allows supervisory authorities to impose fines of up to £ 8.7 million or 2 per cent of the total annual worldwide turnover in the preceding financial year, whichever is higher.
A Data Protection Officer (DPO) is the person designated to facilitate and assess a company’s compliance with the provisions of the UK GDPR. An UK Representative (pursuant to UK GDPR) is the person designated to represent companies that are not based in the United Kingdom regarding their obligations under the UK GDPR (acc. to Art. 27 UK GDPR)
The UK Data Representative performs various services:
- To start with, the UK Data Representative does a sanity check with the Record of Processing Activities and keeps it on behalf of the client. If required, the UK Data Representative can assist you in preparing the Records or refer their customer to a suitable party through our worldwide network of lawyers.
- On a daily basis, the Representative constantly monitors incoming data privacy requests from individuals or UK Supervising Authorities on your behalf. These could be: requests to delete, change or restrict processing of personal data for an individual, incoming inquiries from local police departments or from Data Protection Authorities following up complaints from third parties about the processing of personal data of your company or investigations. The UK Data Representative will work with your Legal and Data Privacy team to handle all communication with the end client and the relevant authorities with urgency, care and according to applicable Data Privacy standards.
- In case of a data breach you need to communicate this matter to the relevant Data Protection Authority. RIVACY employees will guide you with best practices. Under pre-agreed conditions, RIVACY will also perform the first communication with Data Protection Authorities within the required 72 hours (Acc. to Art. 33 UK GDPR).
The Record of Processing Activities (or RPA, RoPA) is an inventory of data processing and provides an overview of what you do with the concerned personal data. It is mandatory obligation and set out in Article 30 of the UK General Data Protection Regulations. It is a tool to help you comply with the Regulations. This document is kept by the UK Data Representative and is to be made available to Supervisory Authorities upon request.
Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
As a small example, all sessions that a web page collects are personal data – enormous amounts of data can quickly accumulate here and become a potential risk.
Across our client base there is an 85 per cent probability of receiving an inquiry from an individual (likely one of your clients) regarding the processing of personal data. The likelihood to receive an inquiry from a Supervising Authority is 5 per cent, and the necessity to communicate with a data protection authority regarding a Data Breach is 3 per cent.
Yes we can. Simply contact us for a quote.
The FADP applies already when a non-Swiss Company offers goods or services (even if for free) to individuals in Switzerland or processes or stores personal data.
Similarly, to the GDPR, it is therefore necessary for a non-Swiss Company to appoint a Swiss Data Representative in connection with offering goods and services or monitoring the behavior of individuals in Switzerland, if the processing is extensive and happens regularly and it involves a high risk for the personality of the data subjects (Art. 14 FADP).
The threshold is rather low, typical examples are: an online shop that extensively sells goods to Switzerland, an online gaming company that offers their services to Swiss residents, a tech company offering SaaS Services, or a pharma company that conducts research in Switzerland.
The Swiss Data Representative needs to be physically established in Switzerland.
- The contact details of the Swiss Data Representative need to be publicly available (i.e., through your website).
- The Swiss Data Representative handles incoming requests from individuals and Supervising Authorities.
- The Swiss Data Representative maintains and makes available the Record of Processing Activities Document to Supervising Authorities on request (Acc. to Art. 14 para. 1 and 2. FADP).
- Supports communicating Data Breaches with Switzerland’s Data Protection Authority. Please note: you have to communicate Data Breaches as quickly as possible (acc. to Art. 24 FADP)
The FADP allows supervisory authorities to conduct investigation procedures.
- To start with, the Swiss Data Representative does a sanity check with the Record of Processing Activities and keeps it on behalf of the client. If required, the Swiss Data Representative can assist you in preparing the Records or refer their customer to a suitable party through our worldwide network of lawyers.
- On a daily basis, the Representative constantly monitors incoming data privacy requests from individuals or Swiss Supervising Authorities on your behalf. These could be: requests to delete, change or restrict processing of personal data for an individual, incoming inquiries from local police departments or from the Data Protection Authority following up complaints from third parties about the processing of personal data of your company or investigations. The Swiss Data Representative will work with your Legal and Data Privacy team to handle all communication with the end client and the relevant authorities with urgency, care and according to applicable Data Privacy standards.
- In case of a Data Breach, you need to communicate this matter to the Swiss and/or other Data Protection Authorities. RIVACY employees will guide you with best practices. Under pre-agreed conditions, RIVACY will also perform the first communication with Data Protection Authorities in Switzerland and, if necessary, abroad, within the necessary deadlines (Acc. to Art. 24 FADP).
Are you convinced by our expertise?
- Contact us for a free consultation.
Learn more about how we can assist you in improving your compliance with the General Data Protection Regulation (GDPR). Get in touch with us and benefit from a free consultation. We are confident that we can help you take your compliance to the next level.