Legal and operational
data protection consulting
No advice or poor advice—sometimes even non-legal advice—can have serious consequences for your organisation in the form of fines, claims for compensation, and reputational damage.
This is especially true for extensive or sensitive processing of personal data, which requires comprehensive advice due to the associated data protection risks.
What sets us apart?
Our lawyers are highly specialized and have many years of experience in the increasingly complex field of data protection law.
The following aspects distinguish our data protection consulting services:

We know the legal specifics:
The General Data Protection Regulation (GDPR) stipulates a series of overarching obligations that must always be fulfilled to ensure lawful processing of personal data. However, sector-specific characteristics must also be taken into account, such as employee data protection, health data protection, and group data protection.
We keep track of everything for you and point out any special features.

Extensive experience and excellent reputation
Since 2005, we have been advising national and international groups, medium-sized companies in almost all sectors, and public authorities as external Data Protection Officers. Thanks to our many years of expertise, we guarantee practical advice for our clients. We also enjoy a reputable standing with the supervisory authorities.

Keeping an eye on current developments
Even though some time has passed since the introduction of the GDPR, there is still legal uncertainty regarding its interpretation and application. Regularly published supervisory authority statements and court rulings help to eliminate uncertainties and ensure that the processing of personal data is lawful. We continuously monitor legal developments and inform our clients of any necessary actions and possible solutions.

Individual consulting concepts at fair prices
Our clients receive data protection consulting tailored to their individual needs and the best team of consultants for the job. As a data protection consultant, it is easy to say “no.” The challenge lies in developing solutions. We do not work with opaque flat rates. All valuable activities are documented by us to the nearest 6 minutes and verified at regular status meetings or at any time upon your separate request. You pay market rates for outstanding data protection experts.
We ensure
data protection compliance
In order to identify deficits in the implementation of data protection requirements, we offer an initial audit of existing processing of personal data and data protection-related processes at the beginning of our data protection consulting services.
We then help you to comply with the data protection framework. To this end, we develop customized projects for the introduction of a needs-based data protection organisation and data protection management, and design tools and documents for implementing the legally required standards and processes.
Would you like to get an initial overview of the level of data protection in your organisation? Take advantage of our free GDPR quick check.
Professional data protection consulting
minimizes liability risks
Without professional data protection consulting, you could face administrative fines and substantial claims for compensation. In this respect, comprehensive consultant liability is essential to mitigate and transfer liability risks.
In the event of incorrect or poor advice, Scheja & Partners is generally liable for up to EUR 10 million in individual cases.
A higher liability amount can be agreed separately for particularly risky advice.
Representative in the Union pursuant to Art. 27 GDPR
We assume the function of a representative in the Union pursuant to Art. 27 GDPR for controllers and processors in third countries, in particular in Switzerland and the United States.
Legal background to the representative pursuant to Art. 27 GDPR
The applicability of European data protection law does not depend solely on whether the controller or processor is established in the Union. Organisations without an establishment in the Union are also subject to the requirements of the GDPR, for example if they offer goods or services to data subjects within the Union or monitor their behavior within the Union. In such cases, the GDPR obliges the controller or processor to designate a representative in the Union in accordance with Art. 27 GDPR.
The purpose of the obligation to appoint a representative pursuant to Art. 27 GDPR is to provide both, data subjects and supervisory authorities, with a central point of contact in the Union. This enables European supervisory authorities to exercise jurisdiction over organisations established exclusively in third countries in order to enforce the requirements of the GDPR. The representative in the Union is therefore an important instrument for ensuring effective law enforcement in the interests of data subjects.
The representative in the Union under Art. 27 GDPR as a legal obligation
An organisation established in a third country requires a representative in the Union under Art. 27 GDPR if it:
- does not have an establishment in the Union, but
- offers goods or services to data subjects in the Union, or
- monitors the behaviour of individuals in the Union (in particular tracking or profiling).
The GDPR provides for exceptions to the obligation to designate a representative in the Union in cases of only occasional processing of less sensitive personal data or if the data processing is carried out by a public authority. If no exception applies, a representative in the Union is required by law under Article 27 of the GDPR. If a required representative in the Union under Article 27 of the GDPR is not designated, the supervisory authority may enforce the designation and impose a fine.
Representative function and operational tasks of the representative in the Union (Article 27 GDPR)
The representative in the Union serves as a point of contact for data subjects and supervisory authorities for all questions relating to the processing of personal data, in order to provide them with a direct contact person within the Union.
In addition, the representative’s tasks under Art. 27 GDPR include representing the organisation with regard to the legal obligations of the GDPR. This includes, among other things, receiving and forwarding requests from data subjects (such as exercising the right of access or the right to erasure) or providing the records of processing activities at the request of the supervisory authority.
Scheja & Partners as representative in the Union for your organisation pursuant to Art. 27 GDPR
As an internationally active law firm, our specialized attorneys provide advice exclusively in the field of data protection law. We are also happy to assume the role of a representative in the Union in accordance with Art. 27 GDPR for organisations without an establishment in the Union.
Below, we have answered the most frequently asked questions about the representative in the Union in accordance with Art. 27 GDPR.
FAQ
European data protection law aims to ensure a uniform level of protection for personal data within the EU and thus to take into account the protection of this data as enshrined in fundamental rights. In order to ensure this protection in an increasingly digitalized world, the General Data Protection Regulation (GDPR) introduces the so-called market location principle.
This means that non-European organisations may also process personal data of EU citizens—provided that they offer their products or services in the EU or observe the behavior of data subjects within the EU. In these cases, however, the processing falls within the scope of the GDPR. Accordingly, affected companies may have to appoint a representative in the EU (Art. 27 GDPR).
Note: This information does not constitute individual legal advice.
The EU representative pursuant to Art. 27 GDPR acts as a central point of contact for data protection issues in Europe – both for employees of the non-European organisation and for European and national supervisory authorities as well as for data subjects whose personal data is processed.
In addition, the representative supports the organisation in fulfilling its data protection obligations. This includes in particular:
- receiving and forwarding requests from data subjects (e.g., requests for information or erasure)
- communicating with supervisory authorities,
- and providing the record of processing activities upon request.
Note: This information does not replace individual legal advice.
A non-European organisation requires an EU representative in accordance with Art. 27 GDPR if it does not have a branch within the EU but nevertheless:
- offers goods or services to persons in the EU, whether for payment or free of charge,
- or observes the behavior of persons within the EU—in particular through measures such as tracking, profiling, or web analysis.
In these cases, the market location principle applies, which means that the organisation falls within the scope of the GDPR.
Note: This information is for general guidance only and does not constitute individual legal advice.
The EU representative pursuant to Art. 27 GDPR is defined in the Regulation itself as:
“a natural or legal person in the Union who is designated by the controller or processor in writing pursuant to Article 27 GDPR to represent the controller or processor in relation to the obligations imposed on them by this Regulation.” (cf. Article 4 No. 17 GDPR)
The EU representative performs representative tasks for the organisation within the European Union. They also provide support in complying with the requirements of the GDPR, in particular in contact with supervisory authorities and data subjects.
Note: This information is for general information purposes only and does not replace individual legal advice.
Without or with insufficient data protection advice, there is a risk that personal data will be processed unlawfully or that other requirements of the GDPR will not be properly fulfilled. This can have serious consequences:
- In such cases, supervisory authorities may issue orders or processing bans,
- impose fines of up to 20 million euros or up to 4% of global annual turnover (Art. 83 GDPR),
- and there is a risk of lasting damage to reputation, particularly in terms of customer and partner trust.
Professional data protection consulting helps to identify such risks at an early stage, minimize them effectively, and ensure long-term compliance with data protection regulations.
Note: This presentation does not replace individual legal advice.
The appointment of an external Data Protection Officer is not necessarily linked to data protection consulting.
On the one hand, the appointment may not be required by law—for example, if a non-public organisation employs fewer than 20 people who are constantly involved in the processing of personal data (see § 38 para. 1 BDSG).
On the other hand, the function of Data Protection Officer can also be performed by a suitable person within the organisation.
However, upon request, data protection consulting can also include the assumption of the role of external Data Protection Officer – even if there is no legal obligation to do so.
Note: This information is for general information purposes only and does not replace individual legal advice.
The aim of professional data protection consulting is to support organisations in ensuring the legality of their data processing.
This is usually achieved by introducing an effective data protection management system that establishes binding processes and standards for the processing of personal data for all employees.
This is supplemented by practical advice on specific individual issues—for example, on the compliant design of everyday data processing or on handling requests from data subjects, such as requests for information and deletion in accordance with the GDPR.
Note: This information does not replace individual legal advice.
With the growing scale and increasing complexity of automated data processing, the requirements for its lawful design are also increasing.
In addition, data subjects must be informed transparently about the processing of their data; their rights—such as the right to information, erasure, or objection—must be fully respected.
Violations are subject to severe penalties under the GDPR, including fines and potential claims for damages by affected individuals.
Sound data protection advice helps organisations ensure that their data processing is lawful and that they comply with all data protection obligations—effectively avoiding legal risks and economic consequences.
Note: This information does not constitute individual legal advice.
Professional data protection consulting helps organisations systematically meet the complex legal requirements of data protection law.
The focus is on ensuring the lawful processing of personal data. In addition, the consultation helps to implement other obligations under the GDPR, such as the correct documentation of processing activities or the comprehensibility and completeness of data protection notices.
The consulting is always individual, needs-oriented, and takes into account the practical processes and day-to-day business of the organisation.
Note: This information is for general purposes only and does not replace individual legal advice.