Frequently Asked Questions

Do I need to appoint an EU representative?

An EU representative must be appointed if you are not established in the EU and process personal data of EU citizens in order to offer them goods or services or if you observe the behaviour of EU citizens within the EU. This applies if you act as a so-called controller, i.e. you decide yourself which data you process and why. It also applies if you are a so-called processor, i .e. you process personal data of EU citizens for third parties.

When do I offer goods and services to EU citizens?

The question can be answered quite simply at first: You offer goods and services to EU citizens if you are prepared to conclude appropriate contracts with them. It would not be sufficient if, for example, your website could be reached from Europe, but you only sell your products in Switzerland.  It is not necessary that your offer is explicitly directed at EU citizens, it is sufficient that you conclude corresponding contracts with them. Such a contract exists, for example, if users from the EU can create an account on your website in order to use the services offered on the website.

Some examples include:

  • A United States company running an ecommerce store that serves EU customers.

  • A Canadian mobile app developer whose app is available in the EU and requires users to create an account.

  • A Russian company, operating a website aimed at EU users that runs targeted advertising campaigns.

When do I observe the behaviour of EU citizens?

Observing does not literally mean looking when an EU citizen is about to do something behind the border. Rather, it refers to all services that are offered especially on the Internet, e.g. to collect behavioural data (who does what in a website and how do I increase the sale of a product purchased) or to enable interest-based advertising (tracking, retargeting, geo-localization, etc.).

Are there any exceptions?

There are hardly any exceptions to the obligation to appoint an EU representative. The obligation only does not apply if

  • personal data of EU citizens are processed only occasionally, and

  • does not include extensive processing of special categories of data as defined in Article 9(1) or extensive processing of personal data relating to criminal convictions and offences as defined in Article 10, and

  • taking into account the nature, circumstances, scope and purposes of the processing is not likely to result in a risk to the rights and freedoms of natural persons.

What is the role of my EU representative?

In very simplified terms, your EU representative serves as a contact person in the EU for all persons affected by your data processing as well as for authorities and courts. For example, your customers can contact the EU representative to request information about which of their personal data is being processed. Furthermore, supervisory authorities use the EU representative as a contact person “on site”. In general, however, the controller and not the representative bears all responsibility for the data processing activities.

What services do you provide as my EU representative?

First of all, we provide you with all services that an EU representative is required to provide under Art. 27 GDPR. Data subjects can turn to us to exercise their rights and we serve as your contact for authorities and courts in the EU. We work closely with you and can access qualified lawyers in our network if the need arises that a lawyer represents your interests in the EU.

Data subjects within the meaning of the GDPR are the persons whose personal data you process. They are entitled to various rights, which are described in particular in Articles 15 ff. GDPR . These include, for example:

  • The right of information in accordance with Art. 15 GDPR (which personal data is processed for which purpose, where does the data originate, to whom was the data transmitted, etc.)

  • The right to demand the correction of incorrect personal data (Art. 16 GDPR)

  • The right to delete data (“Right to be forgotten”, Art. 17 GDPR)

  • Right to limit processing, Art. 18 GDPR

  • Right to data transferability, Art. 20 GDPR

  • Right of objection, Art. 21 GDPR

Does it matter that your company is located in Estonia?

Yes, because the EU representative has to be based in the EU. However, if your offer is directed only to EU citizens in certain countries (e.g. Spain), then the EU representative must also be based in that country. However, as long as you do not limit the country of residence of your customers, the EU representative can also be located in any EU country.

What are my obligations under GDPR?

The EU representative alone is not enough. If you have to appoint an EU representative, this means that you process personal data in such a way that the GDPR applies to you. Although GDPR only applies to the extent that personal data of EU citizens is processed, you must comply with all provisions of the GDPR. These are just FAQs about the EU representative service, so we make you “GDPR Compliant in 5 minutes”, if it could be done at all. However, we can help you either by ourselves or through partners from our network to meet the requirements of the GDPR in order to avoid the risk of very high fines. Please contact us if you need appropriate advice.

How should I design my Privacy Policy?

The GDPR stipulates in Articles 13 and 14 how EU citizens are to be informed about the processing of their personal data. These privacy notices must include information that you appointed us as your EU representative and how we can be contacted.

Who are we?

The provider of the EU representative service is TDR Industries OÜ.


Our company was founded in 2018 to provide IT and Data Protection solutions for companies. Our partners are experienced IT entrepreneurs as well as Data Protection Professionals from Estonia and the United Kingdom.

Do you provide UK Representative services too?

As a European company we dont provide UK Representative services, however, we have a partnership with a UK company TYR Industries Ltd, who provide UK Representative services, under the UK Data Protection Act 2018.