FAQ


DSA - Frequently Asked Questions (FAQs)

The Digital Services Act (DSA) is a European Union (EU) regulation that establishes new rules for digital services acting as intermediaries connecting consumers with goods, services and content within the EU. It applies uniformly across all EU member states to both EU-based companies and non-EU companies that offer digital services in the EU.

The DSA applies to a wide range of providers of digital “intermediary services” if their services are offered to users based or located in the EU, including:

  • Internet service providers
  • Providers of cloud computing or web hosting services
  • Providers of web-based messaging services and email services
  • Online marketplaces
  • Social media networks
  • Content-sharing platforms
  • App stores
  • Online search engines
  • Online travel and accommodation platforms

Under the DSA, the concept of “offering” services is interpreted broadly. It applies not only to large online platforms but also to smaller intermediary services. This means that any digital service provider, regardless of size, that offers services to users within the EU must comply with the requirements of the DSA.

If your company provides any of the above services and is based outside the EU, you must appoint an EU legal representative under Article 13 of the DSA.

If your company provides digital services within the EU but is not based there, the DSA requires you to appoint a legal representative. This is a legal requirement and is not based on your assessment of the necessity; it is mandatory for compliance with the DSA. 

Having a legal representative ensures that you meet all regulatory obligations, helps facilitate communication with EU authorities, and protects your company from potential fines and penalties for non-compliance.

A DSA representative acts as a contact point between your business and EU regulatory authorities as well as users. Kanto, as your DSA representative:

  • Serves as the recipient of any legal or regulatory communications on behalf of the company.
  • Receives inquiries from authorities addressed to your business and facilitates communication with your business.
  • Assists with compliance with decisions made by these authorities. 
  • Facilitates cooperation with EU authorities during investigations or audits regarding digital services provided.
 

Legal representatives can also be held liable for non-compliance with the DSA, in addition to any liability faced by the company itself.

If you fail to appoint a DSA representative, your business can face significant fines and penalties:

  • Fines of up to 6% of the company’s annual worldwide turnover for the previous financial year
  • Daily penalties of up to 5% of the company’s worldwide turnover for continuous breaches
  • Fines of up to 1% of annual income or global turnover for providing incorrect or incomplete information, failing to respond to authorities, or refusing inspections

Additionally, non-compliance can lead to reputational damage and loss of market access within the EU.

Your DSA representative must be based in the EU. As an EU-based company, Kanto possesses the necessary knowledge and experience to serve as your DSA representative.

Yes, you are required to make the details of your DSA representative public. This information must be included in your terms and conditions, website and other relevant communications with users. The purpose is to ensure that authorities can easily contact your representative regarding any DSA issues.

Yes, you are obliged to notify regulatory authorities of your DSA representative. Kanto will assist you with this notification, provide you with a template, and send it on your behalf.

Our prices start at EUR 1,500 and are flexible depending on your company’s size and the scale of your digital services. For detailed pricing information and to find the plan that best suits your business, please contact us. 

You must appoint a DSA representative in writing. Kanto facilitates this process with electronic signatures, ensuring a smooth, paperless experience.

To appoint a DSA representative, please contact us at:

[email protected]
 

We look forward to assisting you. 

GDPR - Frequently Asked Questions (FAQs)

Under Article 27 of the GDPR, companies established outside the European Union (EU) must appoint an EU representative if they:

  • Offer goods or services to individuals in the EU, even if provided for free.
  • Monitor the behaviour of individuals within the EU, such as cookie profiling.
 

The GDPR representative requirement applies to both data controllers and processors, meaning it covers businesses that process personal information for their own purposes as well as those processing it on behalf of another company.

For example, you need a GDPR representative if you run an online shop or marketplace targeting EU customers, provide a cloud-based software solution, or offer an AI service on a SaaS basis.

Under Article 27 of the GDPR, you do not need to appoint a GDPR representative if you data processing:

  • is occasional, non-systematic;
  • does not include large-scale processing of sensitive data (e.g. health, religion, ethnicity) or information related to criminal convictions;
  • is unlikely to result in a risk to the rights and freedoms of individuals.

In practice, meeting all these criteria is challenging, and the exemption from the GDPR representative requirement is rarely applicable for most businesses.

If you fail to appoint a GDPR representative as required under Article 27, your business can face significant fines and penalties. The GDPR imposes fines of up to €10 million or 2% of your global annual turnover, whichever is higher. Additionally, non-compliance can lead to reputational damage.

A GDPR representative acts as a contact point between your business and EU data protection authorities and individuals. Kanto, as your GDPR representative:

  • Receives inquiries from authorities and individuals addressed to your business and facilitates communication with your business.
  • Assists with maintaining records of processing activities to ensure they meet GDPR requirements.
  • Facilitates communication and cooperation with EU supervisory authorities during investigations or audits.

These are mandatory tasks of a GDPR representative.

A GDPR representative should be appointed in an EU Member State. You are not required to have a representative in each Member State. A single representative will cover all other Member States.

If a large portion of your customer base is in a specific Member State, it is advisable to appoint your representative there. With Kanto, your GDPR representative will always be accessible.

Yes, you are required to make the details of your GDPR representative public. This information must be included in your privacy notice and other relevant communications with data subjects. The purpose is to ensure that individuals and data protection authorities can easily contact your representative regarding any data protection issues.

No, you are not specifically obliged to notify data protection authorities of your GDPR representative. However, you must ensure that the representative’s contact details are readily available in your privacy notice and other communications with data subjects.

Your GDPR representative does not assume your legal liability for GDPR compliance. This is explicitly outlined in the GDPR provisions. Kanto facilitates communication with data protection authorities and data subjects with your business.

Kanto provides a range of services as your GDPR representative, including:

  • Facilitating communication with EU data protection authorities and data subjects.
  • Assisting in creating and maintaining records of processing activities required from you by the GDPR.
  • Facilitating cooperation with EU supervisory authorities during investigations or audits.

Additionally, Kanto’s group companies are eligible to serve as your UK representative and Swiss representative.

Kanto serves as your reliable GDPR representative.

Within Kanto Group, you can receive advice on your general GDPR compliance from our team of legal experts and IAPP-certified privacy professionals.

Yes, Kanto Group can serve as your Data Protection Officer (DPO). The DPO oversees your data protection strategy and ensures compliance with GDPR across your entire organisation.

By appointing us as your DPO, you benefit from our extensive expertise and dedicated focus on maintaining your data protection standards.

You must appoint a GDPR representative in writing. Kanto facilitates this process with electronic signatures, ensuring a smooth, paperless experience.

To appoint a GDPR representative, please contact us at:

[email protected]
 

We look forward to assisting you with your GDPR compliance needs.

Our prices start at EUR 1,500 and are flexible depending on your company’s size. For detailed pricing information and to find the plan that best suits your business, please contact us.

UK Data Protection - Frequently Asked Questions (FAQs)

If your organisation is not established in the UK but processes personal data of individuals in the UK you may be required to appoint a UK Data Protection Representative under the UK GDPR.

Under Article 27 of the UK GDPR, organisations that do not have a physical presence in the UK must appoint a UK Data Protection Representative if they:

  • Offer goods or services (paid or free) to individuals in the UK, or
  • Monitor the behaviour of individuals in the UK (e.g., tracking, profiling, or online behavioural advertising).

This requirement applies to both data controllers and processors, meaning it covers businesses that process personal information for their own purposes as well as those processing it on behalf of another company. 

For example, you need a UK Data Protection Representative if you:

  • Run an online shop or marketplace outside the UK that sells to UK customers and processes their personal data.
  • Offer a SaaS product to UK users and collect personal data for accounts, subscriptions, or analytics.
  • Use tracking technologies (e.g. cookies, behavioural ads) to monitor UK individuals’ online activity.

You may be exempt from appointing a UK Data Protection Representative if:

  • Your organisation is established in the UK – The requirement only applies to businesses without a UK presence.
  • You do not process UK personal data – If you have no UK customers, users, or tracked individuals, this does not apply.
  • Your data processing is occasional, low-risk, and does not involve special category or criminal offence data. Small, infrequent, and non-sensitive processing may be exempt under Article 27 of the UK GDPR.

If you’re required to have a UK Data Protection Representative under the UK GDPR and fail to appoint one, you may face significant penalties, including:

  • Fines up to £8.7 million or 2% of global annual turnover (whichever is higher) for failing to comply with the UK GDPR’s requirements.
  • Increased scrutiny from the Information Commissioner’s Office (ICO), potentially leading to further enforcement actions.
  • Legal claims from individuals whose data rights are violated.

Appointing a UK Representative helps avoid these financial and reputational risks.

A UK Data Protection Representative acts as your official point of contact in the UK for:

  • Communication with the ICO – Handling enquiries, investigations, and data protection-related matters from the Information Commissioner’s Office.
  • Data Subject Requests – Managing requests from UK individuals exercising their data protection rights (e.g. access, deletion).
  • Compliance Support – Assisting with maintaining records and ensuring your data processing activities comply with UK GDPR.
  • Risk Mitigation – Helping reduce the risk of non-compliance and enforcement actions.

The UK Data Protection Representative ensures you meet legal obligations if your business processes UK personal data without a UK office.

Your UK Data Protection Representative must be based in the UK with a physical presence to act as your official point of contact for the Information Commissioner’s Office (ICO) and UK data subjects.

We provide this service through our London office, ensuring full compliance with UK data protection laws and effective management of communications and data subject requests.

You can appoint any individual or organisation established in the UK that offers UK Data Protection Representative services. This can include law firms, compliance and privacy consultancies, or specialist agencies.

With the office in London, our team possesses the necessary knowledge and experience to serve as your UK Data Protection Representative.

Yes, under UK GDPR (Article 27), you are required to make the details of your UK Data Protection Representative publicly available. This typically involves:

  • Providing contact details on your website or in your privacy policy, so data subjects and the Information Commissioner’s Office (ICO) can easily reach them.
  • Ensuring accessibility for individuals to contact the representative for any data protection-related matters.

Under UK data protection laws, you are not required to notify the ICO about your appointed UK Data Protection Representative. However, you must make the contact details publicly available, typically on your website or in your privacy policy, so that individuals and the ICO can easily reach your representative.

Your UK Data Protection Representative is not directly liable for your organisation’s compliance with UK data protection laws. The responsibility for compliance remains with your organisation as the data controller or data processor.

However, the representative’s role is to act as your official contact point for the Information Commissioner’s Office (ICO) and data subjects in the UK, helping you meet your obligations. They assist in ensuring compliance by managing communications and supporting data subject requests, but they are not held accountable for your organisation’s legal obligations.

Kanto provides a range of services as your UK Data Protection Representative, including:

  • Official Point of Contact – Acting as your representative for the Information Commissioner’s Office (ICO) and UK data subjects.
  • Handling Data Subject Requests – Assisting with requests such as access, deletion, or rectification of personal data from UK individuals.
  • Regulatory Liaison – Managing communications with the ICO in compliance with UK data protection regulations.

Additionally, our team is eligible to serve as your EU GDPR Data Protection Representative and Swiss Data Protection Representative.

Kanto serves as your reliable UK Data Protection Representative. 

Within Kanto Group, you can receive advice on your general compliance with UK data protection regulations from our team of lawyer and IAPP-certified privacy professionals.

Yes, Kanto Group can serve as your Data Protection Officer (DPO). The DPO oversees your data protection strategy and ensures compliance with UK data protection regulations across your entire organisation. 

By appointing us as your DPO, you benefit from our extensive expertise and dedicated focus on maintaining your data protection standards.

You must appoint a UK Data Protection Representative in writing. Kanto facilitates this process with electronic signatures, ensuring a smooth, paperless experience.

Our prices start at GBP 99 per month and are flexible depending on your company’s size. For detailed pricing information and to find the plan that best suits your business, please contact us.

Swiss Data Protection - Frequently Asked Questions (FAQs)

Under Article 14 of the Swiss Data Protection Act (FADP), you need a Swiss Data Protection Representative if:

  • Your organisation is a private controller based outside Switzerland.
  • You offer goods or services to individuals in Switzerland or monitor their behaviour (e.g. tracking, profiling).
  • Your processing is large-scale, regular, or involves high-risk activities for individuals.

The representative ensures compliance with Swiss data protection laws and serves as a contact point for Swiss authorities.

For example, you need a Swiss Data Protection Representative if you are:

  • an e-commerce company outside Switzerland selling products to Swiss customers and processing their personal data (e.g., name, address, purchase history).
  • a SaaS platform providing services to Swiss businesses or individuals and handling their personal information.
  • a digital marketing agency profiling Swiss individuals for targeted advertisements or analysing their online behaviour.

You may be exempt from appointing a Swiss Data Protection Representative if:

  • Your business is established in Switzerland and processes personal data within the country.
  • You do not offer goods or services to Swiss residents or engage in activities like tracking or profiling their behaviour.
  • Your data processing activities are not large-scale, regular, or pose a high risk to individuals in Switzerland.

If you fail to appoint a required Swiss Data Protection Representative, you could face investigations or penalties from the Swiss Data Protection Authority (FDPIC). Non-compliance can lead to:

  • Fines for failing to adhere to data protection regulations.
  • Potential legal actions if you do not respond to data subject requests or regulatory inquiries.

Ensuring you have a Swiss representative is key to avoiding these consequences.

A Swiss Data Protection Representative acts as your official point of contact in Switzerland for data protection matters. Their duties include:

  • Representing your organisation in dealings with the Swiss Data Protection Authority (FDPIC).
  • Handling data subject requests (e.g., access, rectification, or deletion).
  • Assisting with compliance with your obligation to appoint a data protection representative under the Swiss Data Protection Act (FADP).
  • Serving as a liaison for individuals in Switzerland regarding their data privacy rights.

You can appoint any individual or organisation established in the Switzerland that offers Swiss Data Protection Representative services. This can include law firms, compliance and privacy consultancies, or specialist agencies.

With the office in Lausanne, our team possesses the necessary knowledge and experience to serve as your Swiss Data Protection Representative.

Yes, under the Swiss Data Protection Act (FADP), you are required to make the contact details of your Swiss Data Protection Representative publicly available. This information should be included in your privacy policy and be accessible to both data subjects and the Swiss Data Protection Authority (FDPIC).

You are not required to notify the Swiss Data Protection Authority (FDPIC) about the appointment of your Swiss Data Protection Representative. However, you must ensure that the contact details of your representative are publicly available, typically through your privacy policy or on your website, for transparency and to ensure compliance with the Swiss Data Protection Act (FADP).

Your Swiss Data Protection Representative is not liable for your organisation’s compliance with Swiss data protection laws. They act as a point of contact for the Swiss Data Protection Authority (FDPIC) and data subjects but do not assume responsibility for your organisation’s data protection practices or violations.

It remains your organisation’s responsibility to ensure compliance with the Swiss Data Protection Act (FADP).

Kanto provides a range of services as your Swiss Data Protection Representative, including:

  • Official Point of Contact – Acting as your primary contact with the Swiss Data Protection Authority (FDPIC).
  • Handling Data Subject Requests – Assisting with requests such as access, deletion, or rectification of personal data from Swiss individuals.
  • Regulatory Liaison – Managing communications with the Swiss Data Protection Authority (FDPIC) in compliance with Swiss data protection regulations. 

Additionally, our team is eligible to serve as your EU GDPR Data Protection Representative and UK Data Protection Representative.

Yes. Within Kanto Group, you can receive advice on your general compliance with Swiss data protection regulations from our team of lawyer and IAPP-certified privacy professionals. Our team provides expert guidance on data protection requirements, helps you implement necessary compliance measures, and ensures your business adheres to Swiss regulations.

Typically, the appointment is done through a simple service agreement. Kanto facilitates this process by providing a service agreement template and electronic signatures, ensuring a smooth, paperless experience.

Our prices start at CHF 150 per month and are flexible depending on your company’s size. For detailed pricing information and to find the plan that best suits your business, please contact us.

Are you ready to address your EU representation needs?

Book your free consultation online and discover how we can assist you 

Book a call

Unit 4 First Floor, 84 Strand Street, Skerries, Dublin, Ireland

[email protected]

+ 353 1 270 9269

Kanto

Legal Documents

Copyright 2025 KANTO. All Rights Reserved.