Frequently Asked Questions

In essence, under the EU, UK and Swiss privacy laws, organisations without local establishments must appoint privacy representative if they:

• Offers goods or services to people in those regions
  (signals include: local language website, pricing in local currency, shipping options, specific marketing), or
   
• Monitors behaviour of people in those regions
  (e.g., cookie-based profiling, device fingerprinting, behavioural ads, detailed analytics tied to users).
  
  IN MORE DETAIL:
  - EU (GDPR Article 27) — If you don’t have an EU establishment and you offer goods/services to people in the EU or monitor their behaviour (e.g., profiling/ads), you must appoint an EU representative. This applies to controllers and processors.
  

- UK (UK GDPR Article 27) — If you don’t have a UK establishment and you offer goods/services to people in the UK or monitor their behaviour, you must appoint a UK representative.

- Switzerland (revised FADP, Art. 14) — If you don’t have a Swiss establishment and you process personal data of people in Switzerland in connection with offering goods/services or monitoring behaviour, you may need a Swiss representative—only for controllers and only if the processing is (a) extensive, (b) regular, and (c) high-risk (all conditions cumulative).

In all three regimes, the representative is a local point of contact for individuals and regulators and must be physically established in the respective jurisdiction.

Example Case 1 — DTC eCommerce (cosmetics, outside EU/UK/CH)

- You run a Canadian online store with EUR/GBP/CHF pricing, EU/UK/CH shipping, and localized pages (DE/FR/IT). You use pixels/retargeting and keep purchase + browsing histories.
- Result: You must appoint an EU representative and a UK representative (you’re offering to, and monitoring, people there). You’ll also need a Swiss representative if your Swiss processing is regular, extensive, and high-risk (e.g., ongoing behavioural profiling of a sizable Swiss customer base).

Example Case 2 — B2B SaaS (time-tracking platform, outside EU/UK/CH)

- Your SaaS is used by EU and UK employers; you process employees’ personal data (IDs, schedules, locations) on their behalf.
- Result: You must appoint an EU representative and a UK representative as a processor because your processing relates to controllers that target those markets. Under Switzerland’s FADP Art. 14, processors are not obliged, so no Swiss representative—but your controller clients may be.

Example Case 3 — Mobile app (fitness/wellness, ad-supported, outside EU/UK/CH)

- Your free app is available in EU/UK/CH app stores, offers German/French/Italian UX, collects GPS/accelerometer data, and serves behavioural ads and push recommendations.
- Result: You must appoint an EU representative and a UK representative (offering services + monitoring). A Swiss representative is required if your Swiss user processing is regular, extensive, and high-risk (e.g., continuous health-adjacent profiling at scale).

At a glance: It’s about intentional targeting. If your business aims at EU customers, GDPR considers you to be offering goods/services in the EU (the same logic applies to the UK and Switzerland).

Signs you’re targeting the EU (EDPB Guideline 3/2018)

• EU-facing content or pricing: pages in EU languages; EUR pricing.
  
• Offering the delivery of goods to EU Member States;
  
• EU marketing: Google/Facebook/other ads aimed at EU audiences; campaigns referencing EU customers.
   
• EU references & touchpoints: testimonials from EU clients; EU TLDs (.de, .fr, .eu); EU contact numbers/addresses; delivery or service available in EU countries.
   
• Travel/servicing cues: directions from EU Member States, or services that are inherently international (e.g., tourism) with EU-specific info.
   

Things that don’t prove targeting on their own: a globally accessible site, listing a generic email, or showing a phone number without an international code.
 

Bottom line: If you run outbound activity into the EU or guide EU users to purchase or use your product, GDPR likely applies.

Examples

Case 1 — Photo-book eCommerce (UAE → EU)
A UAE-based wesite offers create/print/ship photo albums, with English/French/Dutch/German pages, EUR/GBP payments, and delivery to the UK, France, Benelux, and Germany.
Result: Clear EU targeting → GDPR applies (you’re offering goods/services in the EU).

Case 2 — University summer courses (Switzerland → EU)
A Swiss university promotes its summer school courses at German and Austrian universities to boost EU attendance.
Result: Intent to attract EU data subjects → GDPR applies to the related processing.

Monitoring isn’t every instance of collecting EU users’ data. It implies an intent to track individuals for a specific purpose (e.g., profiling, targeting, measurement). The EDPB (Guidelines 03/2018) notes that monitoring can occur online and via devices (wearables, smart/home tech), not just on websites.

Common monitoring activities include:

• Behavioural advertising and retargeting
   
• Geolocation tracking (e.g., for marketing or usage analytics)
   
• Online tracking via cookies, SDKs, or device/browser fingerprinting
   
• Personalised health/diet/fitness analytics
   
• CCTV/vision analytics tied to individuals
   
• Market research based on individual profiles
   
• Ongoing/regular reporting on a person’s health or status
   

Examples:

Case 1 — Fitness wearables
- A U.S. fitness company sells smart bands globally. Its app tracks EU users’ heart rate, sleep, and location and provides personalised coaching and targeted offers.
- Result: Intentional behavioural and health-related monitoring of EU data subjects ⇒ GDPR applies; an EU representative is required if there’s no EU establishment.

Case 2 — Smart home cameras
-A Canadian smart-camera vendor operates a cloud service that analyzes EU users’ video streams for person detection and movement patterns, sending behaviour-based alerts.
- Result: Continuous device-based monitoring of individuals in the EU ⇒ GDPR applies.

Case 3 — Mobility App
- A Singapore ride/scooter app collects real-time GPS from EU riders, builds movement profiles, and runs surge-pricing and push campaigns based on usage patterns.
- Result: Geolocation tracking + profiling of EU users ⇒ GDPR applies.

Note: Whether you’re a controller or processor, if your processing targets or monitors people in the EU and you lack an EU establishment, you’ll generally need an EU representative (and the same applies for the UK and Switzerland under their regimes). 

*** EU (GDPR):

• Maximums: Up to €10 million or 2% of worldwide annual turnover for breaches of controller/processor obligations in Arts. 25–39 (this tier covers failure to appoint an EU representative under Art. 27). More serious breaches can reach €20 million or 4%. 
• Example: The Dutch DPA fined Locatefamily.com €525,000 for not appointing an EU representative and added a periodic penalty until one was appointed. 

*** UK (UK GDPR & DPA 2018):

• Maximums: Two tiers—£8.7 million or 2% (standard tier) and £17.5 million or 4% (higher tier), whichever is higher. Failure to appoint a UK representative typically falls into the standard tier (controller/processor obligations)
  
  *** Switzerland (FADP):
• Maximums: Fines are criminal and aimed mainly at natural persons, up to CHF 250,000 for intentional violations of certain duties (e.g., information/notification). Company liability can apply in limited cases. The duty to appoint a Swiss representative (Art. 14) applies to certain controllers; enforcement uses these FADP penalty tools.

The representative acts as the designated point of contact for supervisory authorities and data subjects, facilitating communications with controllers and processors established outside the EU. The appointment must be evidenced by a written mandate from the controller or processor. The representative must also maintain the Article 30 record of processing activities and make it available to the supervisory authority upon request.

• Choose a plan by company size:
  Plans follow Eurostat size categories (headcount includes part-time staff and freelancers).
• Enter company details:
  Provide legal entity info and primary privacy contacts.
• Sign the Letter of Appointment (LoA):
  The LoA is your contractual appointment of Agora as your Article 27 representative (e-sign online).
• Download, sign, and upload the Power of Attorney (PoA):
  The PoA is your legal mandate authorizing Agora to act before supervisory authorities and data subjects on your behalf.
• Verification:
  Agora eviews the LoA, PoA, and company details (typically completed within a few hours).
• Appointment confirmed:
  Once approved, Agora is officially your EU GDPR representative. Access your client area for website/privacy-policy templates and implementation guidance. The same applies for the UK and Switzerland.