We are Data Protection Representative Limited trading as 'DPR Group', a company in the Republic of Ireland. These terms set out the conditions which apply when accessing this website ( and the materials contained in it (the Website). By accessing the Website, you are indicating that you acknowledge the contents of and accept these terms and conditions.  These terms and conditions are subject to change by us at any time in our discretion and your accessing of this Website after such changes constitutes your acknowledgement and acceptance of those changes.

You agree to only use the Website for non-commercial use in accordance with these terms. You agree not to use the Website, any part of it or any of the material contained in it for any purpose which is contrary to the laws of the Republic of Ireland, the European Union (including its Member States) and/or the jurisdiction in which you are based.

We process information about you in accordance with our privacy notice.  By using the Website, you consent to such processing and confirm that any data provided is accurate.

The Website contains links to other websites, and other websites may contain links to the Website. The Website may also contain the content of third parties. We accept no responsibility or liability for the content of those sites or for anything provided by them and are not responsible for their availability or continued existence. We shall not be responsible for any loss or damage which may result from the information on this website or any other website linked to it. The fact that we include links to such external sites does not imply any endorsement of or commercial partnership with their operators.

All intellectual property rights in our name, trademarks, the Website and any part of it (including text, graphics, software and other images, videos, sound, trademarks and logos) are owned by us or our licensors. Except as expressly set out in these terms, nothing gives you or any third party any rights in respect of any intellectual property owned by us or our licensors (including, but not limited to, copying, modifying and reproducing that intellectual property) and you accept that you do not acquire any rights in any content by downloading it from the Website.

Commentary, information and material posted on the Website are not intended to amount to advice, and no person or organisation should make decisions based on the Website. DPR Group is not a legal advisor and before making any decisions you should take the advice of your legal advisors (as well as any other relevant professional advice necessary to verify your particular rights and obligations). We exclude all liability and responsibility arising from any reliance placed on the Website or any part of it by any visitor to our site, or by any third party who may be notified of any of its contents. All liabilities on the part of DPR Group are excluded or limited to the maximum extent permitted by law.

We cannot guarantee the continuous, uninterrupted or error-free operation of the Website. There may be times when the Website or parts of it are not available (whether because of planned maintenance or not) or are restricted, suspended, modified or removed in our sole discretion, without notice. You agree that we will not be liable to you or to any third party for any restriction, unavailability, modification, suspension or withdrawal of the Website, or any parts of it. You acknowledge that whilst we take appropriate measures, we cannot protect the Website, you or your systems from viruses and other malicious code, cyber crime or other inappropriate or illegal use of technology, and that you should implement those appropriate measures to protect against these and other risks which affect you.

If you have any questions or concerns about the content of the Website, these terms or how we handle your personal data, please contact us at




DPR Group may receive and hold your data, and may share it with those organisations about which you have submitted a data request. DPR Group will hold that data securely and will not share your data with any other organisation or person. By contacting DPR Group, you accept that we will need to use your personal information to respond to you.


  • The personal data held by DPR Group:

    • DPR Group holds:

      1. the personal contact details of the commercial contact person(s) (‘Client Contact’) at our current and prospective clients (‘Clients’) (including, but where appropriate not limited to, name, company email address, company phone number) (‘Client Contact Data’), and

      2. on their application (a ‘Data Request’, including, but not limited to, a subject access request, a request to be forgotten etc), the individuals (‘Individuals’) about whom a Client of DPR Group holds personal data (including name, address, contact information – email address, phone number(s), personal concerns around data use, which may potentially refer to sensitive personal data) (‘Individual Data’),

(together, the Client Contact Data and the Individual Data are the ‘Processed Data’).

  • DPR Group do not hold any Individual Data which may be under the control of our Clients, other than to the extent that an Individuals contacts DPR Group with a Data Request in respect of a Client.

  • DPR Group is the data controller of the personal data of its employees.

  • The processes carried out on this data:

    1. Client Contact Data:

      • Contacting the Client Contact at an existing Client for performing the role of Data Protection Representative for the Client.

      • Transmission between DPR Group companies to enable the above.

      • Contacting the Client Contact at a prospective Client, for the purposes of marketing the activity of DPR Group as a Data Protection Representative.

      • Storage of the Client Contact Data.

    2. Individual Data:

      • Storage and transmission of the Individual Data between Individual and Client in relation to a Data Request pursuant to the role of Data Protection Representative.

      • Transmission between DPR Group companies to enable the above.

      • Storage of the Individual Data.

  • The identity and contact details of the controller, the controller’s Data Protection Representative and their data protection officer:

    • For all the Processed Data the Client is the controller in each case; DPR Group is appointed by the Client, who acts as data controller in respect of that data and has appointed DPR Group as processor of that Processed Data with a limited remit as to processing permissions (as set out in this Privacy Notice).

    • Assuming they are a current Client (i.e. that the contract appointing DPR Group as that Client’s Data Protection Representative has not expired or been terminated), the controller’s representative is DPR Group.

    • Because DPR Group has many Clients, please contact us for details of a particular Client’s contact details (noting that these are likely to be different from the Client Contact Data) and that Client’s Data Protection Officer (if any).

    • DPR Group does not have a Data Protection Officer, as it is not required under GDPR to have one. Adherence to GDPR and other data protection obligations is the responsibility of DPR Group’s senior executive directors.

  • The purpose and legal basis for the processing:

    1. Client Contact Data:

      • Purpose – performing the role of Data Protection Representative in respect of the Client’s obligations under Article 27 of GDPR.

      • Legal basis – contractual fulfilment, instruction to process by Client.

    2. Individual Data:

      • Purpose – performing the role of Data Protection Representative in respect of a Data Request, enabling the Individual to gain access to the Client to enquire about the use of their personal data (including, but not limited to, the Individual Data).

      • Legal basis –

        • From the Individual: DPR Group process Individual Data under the instructions of DPR Group (as controller of that data) under a written processing agreement appointing DPR Group as their Data Protection Representative. The Individual accepts this processing by submitting their Data Request.

        • From the Client: contractual fulfilment, instruction to process by Client, obligation under Article 27 of GDPR.

  • The legitimate interests of the controller or third party:

    • The Clients’ interest in the processing of the Processed Data by DPR Group is the fulfilment of their regulatory obligation under Article 27 GDPR to appoint a Data Protection Representative, and to enable DPR Group to undertake that appointment.

  • Categories of personal data:

    1. Client Contact Data:

      • Standard category of personal data only.

    2. Individual Data:

      • Standard category of personal data mainly.

      • Potential that occasionally an Individual may disclose sensitive personal data to DPR Group further to a Data Request in respect of the Client’s controlling or processing of that sensitive data.

  • Recipients or categories of recipients of the personal data:

    • The only recipient of the Processed Data will be the Client in respect of the Individual Data provided by Individuals to DPR Group in respect of Data Requests for that Client.

    • The only personal information provided to the Individual will be their own Individual Data, and any Client Contact Data which the Client instructs DPR Group to provide to the Individual.

  • Transfers to third country and safeguards:

    • When storing of the Processed Data, DPR Group uses password-protected locations with reputable public cloud storage providers. Those public cloud storage providers may transfer that data to third countries, but only where adequate protections are in place.

  • Retention period and criteria used to determine the retention period:

    • DPR Group retain data in our email archive for 10 years to evidence Data Requests of Individuals and responses of Clients in the event of claims made during that later period.

    • Criterion for data retention is the period over which potential for claims exists, to ensure the rights of Individuals are enforceable by way of ensuring their ability to evidence the actions taken in respect of their personal data, to ensure our Clients’ (and DPR Group) have adequate evidence of the proper undertaking by DPR Group of the role of Data Protection Representative.

  • The data subject’s rights:

    • Individuals are notified at each stage of their rights in respect of their data, by way of communications with links to this Privacy Notice.

    • The rights of an Individual as a data subject under existing data protection law and GDPR are:

      • The right to be informed

      • The right of access

      • The right to rectification

      • The right to erasure

      • The right to restrict processing

      • The right to data portability

      • The right to object

      • Rights in relation to automated decision making and profiling

    • For more information on your rights as an Individual and/or data subject, please contact the authority responsible for data protection in your jurisdiction. For persons in the European Union, please follow this link to locate the relevant data protection authority:

  • The right to withdraw consent at any time:

    • Client Contacts and Individuals may withdraw their consent to the use by DPR Group of their personal data. However, it should be noted that this may impact the ability of DPR Group to perform their role as Data Protection Representative.

    • DPR Group will retain, and may process, the Processed Data to the extent it is required to by law or otherwise as set out in this Privacy Notice,

  • The right to lodge a complaint with a supervisory authority:

  • The source of the personal data (including publicly accessible sources):

  1. Client Contact Data:

    • Direct from potential and existing Clients in respect of the commercial activities of DPR Group.

    • Indirectly from persons and organisations who refer potential Clients to DPR Group as part of their commercial activities.

    • From publicly accessible sources where directly marketing to that potential Client.

  2. Individual Data:

    • Directly from the Individual in respect of their Data Request.

    • From the Client to enable DPR Group’s undertaking of the role of Data Protection Representative.

  • Is the provision of personal data part of a statutory or contractual requirement or obligation? What are the possible consequences of failing to provide the personal data?

    • DPR Group provide the Processed Data as set out in this Privacy Notice pursuant to contractual obligations with the Client, the Client having regulatory obligations under GDPR to appoint a Data Protection Representative and to respond adequately to Data Requests.

    • If DPR Group fails to provide personal data to relevant parties as required by the undertaking of the role of Data Protection Representative, the consequences may be a failure of DPR Group in that regulatory role, a corresponding failure of the Client to meet their obligations under GDPR, and a failure to meet the Individual’s rights under GDPR.

  • Is the personal data used for any automated decision making, including profiling and information about how decisions are made?

    • The Individual Data may be considered by DPR Group when making decisions on the appropriate response to a Data Request.

    • Other than above, the Processed Data will not be used in any processing or information gathering processes and, except where otherwise required or permitted, will not be passed to any third party without the consent of the relevant data subject.



1.         Parties

The “Parties” to the Contract (each a "Party") are:

a.         Data Protection Representative Limited (trading as ‘DPR Group’), a company registered in the Republic of Ireland with registered number 616588, whose registered address is at 12 Northbrook Road, Dublin, D06 E8W5, Ireland (“DPR”), and

b.         The party who purchases the Services of DPR, as set out in the Order (“You” and “Your”).


2.         Definitions and interpretation

2.1.      Capitalised words used in these Terms and the Contract are defined here and above:

Administration Operations” – the operational actions and administration involved in undertaking the Services, other than the formal acceptance of the role of Data Protection Representative (which is a separate part of the Contract under the definition “Appointment”), as set out in the Order or calculated in accordance with these Terms, most particularly the delivery of communications between You and a Requestor.

Administration Fees” – the Fees payable by You to DPR for Administration Operations.

Applicable Law” – any of the laws applicable to (as appropriate) DPR, You and any Data Subjects for which You hold Information including, without limitation, GDPR.

Appointment” – the appointment of DPR as Your Data Protection Representative pursuant to Article 27 of GDPR as set out in clause 3.2.

Appointment Fee” – the Fee payable by You to DPR for accepting the Appointment, as set out in the Order.

Commencement Date” - the day on which DPR commences their Appointment by You as Your Data Protection Representative, as set out in the Order.

Contract” – the legal contract between DPR and You, incorporating these Terms and the Order, under which the Services are delivered.

"Credit Check Fee" – the Fee of €50 (fifty Euros) required to undertake a credit check procedure unless You are incorporated in a country listed in Schedule 1.

Data” – any information, whether in written or other form including, but not limited to, Personal Data.

Data Protection Authority” – the authority in any EU member state which regulates the control and processing of Personal Data and/or enforces GDPR in that member state.

Data Protection Representative” – the position to which certain organisations are required to appoint a legal person pursuant to Article 27 of GDPR.

Data Request” – a request by a Data Subject or a Data Protection Authority to You pursuant to GDPR, by way of DPR as Data Protection Representative.

Data Subjects” – individual natural persons who are situated in the European Union.

Expiry Date” – each of (a) the day 12 calendar months after the Commencement Date, and (b) the final day of any Renewal Period.

Fees” – the payment(s) to be made by You to DPR pursuant to these Terms.

GDPR” – the General Data Protection Regulation (Regulation (EU) 2016/679), and any amendment or restatement of it.

Order” – the document setting out the specific details of the Contract, including Your details, the Fees and the Commencement Date.

Personal Data” – the personal data of Data Subjects, as defined in the GDPR.

Quarter” – each of four separate periods of three months occurring sequentially during the course of a Contract, with the first Quarter commencing on the Commencement Date and the fourth Quarter ending on the Expiry Date.

Questionnaire” – a document, in the form issued by DPR, by which You declare certain information about Your organisation and operations in respect of Personal Data.

Regulatory Action” – any enforcement action against You for an actual or purported violation of GDPR by the European Union or any EU member state, or by the courts, tribunals etc or the Data Protection Authority of either, whether on their own motivation, at the request of one or more Data Subjects or otherwise.

Renewal Period” – a 12-month period for which the Contract is extended, starting the day after the Expiry Date of the previous Contract period, with an Expiry Date 12 months after that date.

Requestor” – a Data Subject or Data Protection Authority who has made a Data Request, and/or any party which brings a Regulatory Action.

ROPA” – records of processing activities, as required to be prepared by You and held by DPR as Your Data Protection Representative as a result of Article 30 of GDPR (unless You are exempt from this obligation under GDPR).

Services” – the services of a Data Protection Representative (subject to there being an ongoing Appointment), and such other services as may be agreed between the Parties, including the Administration Operations.

2.2.      In the event of a discrepancy or conflict between any provision of the Order, these Terms and any other part of the Contract, the earlier-listed document shall prevail.


3.         Services

3.1.      In consideration of the payment of the Fees, (or provision of a purchase order satisfactory to DPR), and subject to the provision of a Questionnaire and result from a credit checking process which are each confirmed by DPR to be satisfactory, DPR shall provide the Services to You.

3.2.      Pursuant to Your obligation under Article 27 of GDPR, and subject to the satisfaction of the conditions in clause 3.1 above, You hereby appoint DPR as Your Data Protection Representative (the “Appointment”). The date of this Appointment shall be the Commencement Date. Notwithstanding any other evidence of the Appointment, or documents which are considered to constitute the Contract, these Terms, together with the Order, comprise the written document evidencing the Appointment and designating DPR as Your Data Protection Representative, as required by Article 27.1 of GDPR. For the avoidance of doubt, DPR has the absolute discretion to decline Your purported Appointment initially or for any Renewal Period.

3.3.      DPR shall deliver the Services with due care and attention, in a diligent and timely manner, and will apply such time and resources as are reasonably required to deliver those Services.


4.         Invoicing and payment

4.1.      Payment of the Appointment Fee relates to the Appointment, and is due immediately on the formation of a Contract (and any subsequent Renewal Period). If You are incorporated in a country other than those listed in Schedule 1 of these Terms, the Credit Check Fee will also be payable by You to DPR prior to the start of each year of Appointment. Invoices will be raised for the Appointment Fee for Renewal Periods on or around the date 30 days before the Expiry Date.

4.2.      Invoices will be raised for Administration Fees, if any, and any other Fees which arise, on a Quarterly basis.

4.3.      Payment of all invoices is due within 30 days of invoice date. All prices are in Euro (€) and are exclusive of VAT.

4.4.      Administration Fees are calculated per communication (e.g. from a Requestor) processed, at the price set out in the Order. DPR does not charge a fee for processing Your first response to a Requestor to each of their communications, but any communication(s) You send in excess of a first response will be chargeable. Communications from You to DPR, other than for onwards-provision to a Requestor, shall not be chargeable.

4.5.      Where DPR reasonably incurs work or expenditure outside of those expenses listed in the Order, these expenses shall be added to the Administration Fees for a Quarter.

4.6.      Fees for Regulatory Actions:

a.         Notwithstanding anything in the remainder of these Terms, You indemnify DPR in respect of all costs, fees and expenses reasonably incurred by DPR in assessing, dealing with and responding to any Regulatory Actions.

b.         Where a Regulatory Action is raised on or via DPR in respect of You or Your actions and/or omissions, and it appears reasonably likely that DPR may incur costs (whether administrative or for legal or other professional advice), You shall pay on account to DPR a reasonable sum agreed between the Parties (or, in the absence of agreement, at a level which a relevant independent professional estimates DPR is likely to incur) in respect of that Regulatory Action. DPR shall have no obligation to undertake any more than the Administration Operations and its own regulatory obligations until such payment on account is made.

c.         Where the payment on account is not made within a timescale which reasonably permits DPR to respond as required by their Appointment as Data Protection Representative, that shall be considered a reason to terminate the Contract (or the Appointment, at DPR’s discretion) pursuant to clause 7.5, and the termination shall be deemed backdated in line with that clause.

4.7        Where a change to the basis of the Appointment is required during the course of the Appointment, whether as a result of You exceeding the figures quoted in the Questionnaire for the current Appointment period or otherwise, DPR shall be entitled to charge a €50 Fee to record such change. 

5.         Your obligations

5.1.         On the Commencement Date and then at all times until the Expiry Date, You warrant that:

a.         You are compliant with the obligations placed on You by GDPR and all other Applicable Laws;

b.         the information You provided on conclusion of the Contract (including, but not limited to, the information provided in the Questionnaire) is accurate and complete and You will notify DPR of any material change to the information provided in the Questionnaire during the Appointment (and You note in particular that only the corporate entities and the names under which they trade which are listed on the Questionnaire are included in the Appointment, and any subsidiaries or group companies of You – or names under which You trade – which are not listed on the Questionnaire will not be included in the Appointment);

c.         You have not been the subject of a Data Request or Regulatory Action, other than to the extent notified to DPR prior to entering into a Contract;

d.         You will provide DPR with a copy of Your ROPA within 30 days of the Commencement Date, and update DPR with changes to the ROPA as necessary;

e.         You will provide the necessary responses, within the necessary timescale, to any communication in respect of a Data Request, Regulatory Action or other request for response from DPR;

f.         You are financially solvent and able to pay Your debts as they become due; and

g.         You will update DPR with Your contact details, in particular an email address at which You can be contacted.

5.2.         You acknowledge and agree that:

a.         DPR has obligations under GDPR in respect of Your ROPA but is not in a position to prepare or advise on whether an exemption from this obligation applies to You, nor whether any ROPA You have prepared is accurate, adequate or complete. Accordingly, DPR relies on You to provide the ROPA (and update it as necessary) to DPR or advise whether You are exempt from the obligation to prepare a ROPA. If You have not provided a ROPA to DPR within 30 days of the Commencement Date, DPR shall be entitled to conclude that You believe You are exempt from the obligation to prepare the ROPA and shall be entitled to report that exemption to any Data Protection Authority which requests Your ROPA. You indemnify DPR for any liability which arises for DPR as a result of You failing to provide a ROPA, providing an inaccurate or incomplete ROPA or claiming incorrectly that You are exempt from the obligation to prepare a ROPA, whether expressly or as a result of the operation of this clause (but, to the extent You have met Your obligations in respect of the ROPA, this shall not exclude DPR’s liability under GDPR for failing to meet their obligations);

b.         there are many official languages in the EU, and that Data Requests and Regulatory Actions may be issued in any of those languages. DPR Group is under no obligation to translate the contents of Data Requests or Regulatory Actions unless otherwise agreed with You, and additional Fees will apply to such translation. In the event that DPR provides any translation services, such services are provided on a reasonable endeavours basis and DPR excludes all liability for any errors and omissions in such translation, which You agree is reasonable. DPR takes no responsibility for any interpretation of languages (other than the English language) unless such additional Fees are paid, and DPR’s liability in respect of translation is otherwise limited to 125% of such Fees;

c.         the terms of the Appointment are based, in part, on the number of communications DPR anticipates it will receive on Your behalf and, because excess communications will result in extra Fees and work for You, it is reasonable for DPR to filter out communications which are apparently ‘spam’ or otherwise uninvited and undesired communications and, notwithstanding that DPR shall make reasonable endeavours to forward to You any communication which appears genuine (whether or not it appears to be a Data Request, e.g. we would expect to forward to You a purported service request by Your customer which has been directed to DPR in error) – each of which shall count towards the permitted number of communications during the then-current Appointment period – DPR shall not be liable to You (as a result of a violation of GDPR or otherwise) for any communication it fails to forward to You where it believes, having reviewed that communication and acted reasonably, that such communication is not a Data Request;

d.         the delivery of Data Requests and Regulatory Actions via postal service is subject to many factors, including forwarding of such documents between DPR’s locations in the EU. DPR will make reasonable endeavours to provide such Data Requests and Regulatory Actions to You as soon as reasonably practicable, but DPR cannot guarantee that such delivery will be within Your or a Data Protection Authority’s required deadline; and

e.         at DPR’s request (such request not to be made more than once in any 12-month period), You will provide written details of the information provided on which DPR calculated the Fees (including, but not limited to, the information set out in the Questionnaire), in particular numbers of Data Subjects and any special factors giving rise to Fee discounts (accreditations etc).


6.         Data, confidentiality and integrity

6.1.      Neither Party will disclose to any third party, without the written consent of the other Party, any Data received from the other Party or any Data Subject, Requestor, Data Protection Authority or any other party because of or in connection with the Contract, and for these purposes all Data shall be considered confidential. Both parties agree that any confidential information shall only be used for the purposes of providing or receiving Services, and may be provided to other third parties involved in the delivery of the Services on the condition that those third parties are under confidentiality provisions no less stringent than set out in these Terms. This obligation of confidentiality shall not extend to information (a) in the public domain, (b) which was already in the possession of a Party when received from the other Party; or (c) information which a Party is required by law to disclose.

6.2.      DPR will process Personal Data in line with their privacy notice, available for inspection at

6.3.      Notwithstanding the remainder of this clause 6, You acknowledge and agree that DPR has an obligation under GDPR to provide a Data Protection Authority with a copy of Your ROPA if they request. DPR shall notify You if such a request is made, and the response provided.

6.4.      Both Parties agree that they shall each observe the requirements of the UK Bribery Act 2010 and the US Foreign Corrupt Practices Act (each as amended or restated) or, to the extent it offers protections from corruption no less onerous than those laws, the equivalent law in the jurisdiction in which they are based. Breach of this clause 6.4 by one Party shall entitle the other Party to terminate the Contract immediately.

7.         Term and termination

7.1.      The formation of the Contract and, unless agreed to be some later date, simultaneously the Appointment of DPR as Your Data Protection Representative, occurs on the Commencement Date. For the avoidance of doubt, DPR's receipt of payment (directly or from a third party) shall not be sufficient evidence of DPR’s acceptance of the Appointment.

7.2.      The Services will be provided by DPR to You from the Commencement Date or the start of the relevant Renewal Period (as appropriate) until the subsequent Expiry Date.

7.3.      DPR shall make reasonable endeavours to advise You by email at least 45 days before the Expiry Date of the Fees for the subsequent Renewal Period. DPR’s Appointment for a Renewal Period will be subject to (a) payment of the Appointment Fee for the Renewal Period (or a purchase order satisfactory to DPR), (b) the provision of a Questionnaire from You which is satisfactory to DPR, and (c) the result from a credit checking process which is satisfactory to DPR, and any terms for a Renewal Period which are provided prior to satisfaction of these conditions will remain conditional on their subsequent satisfaction (and DPR’s Appointment as Your Data Protection Representative is similarly conditional on DPR’s satisfaction of how these conditions are met). Unless specifically agreed in the Order, the Appointment will not automatically renew for a Renewal Period and, if conditions (a) and (b) above have not been satisfied by the Expiry Date of the expiring Appointment, any discount to which You are entitled for renewing the Appointment shall no longer be available to You.

7.4.      The Contract shall terminate:

a.         on notice by either Party if the other Party is in material breach of the Contract (and, for the avoidance of doubt, if 
    i.    Your financial position changes so that You would no longer pass a credit check to DPR’s      satisfaction; or 
    ii.   You suffer an event which DPR believe should be reported to the Data Protection 

    Authorities (or which would otherwise be likely to result in a Regulatory Action if known by

    the Data Protection Authorities) and DPR is unsatisfied with Your explanation of the event, 

    why it need not be reported or the rectification You have put in place to prevent such event

    in the future),
You shall be considered to by in material breach of the Contract);

b.         automatically and immediately if You are in breach of Your warranties and obligations in clause 5;

c.         on notice by DPR with immediate effect in the event of Your ceasing to trade, entering administration, insolvency proceedings or any other equivalent or analogous proceedings in Your jurisdiction;

d.         on 30 days’ notice by You.

7.5.      The Appointment shall be deemed to have terminated at a time immediately prior to Your commencement of a practice or the occurrence of an event which gave rise to a Regulatory Action resulting from a breach of Applicable Law (and, if that practice or event commenced or occurred prior to the Commencement Date of the initial Appointment, the Appointment shall be deemed terminated from inception, so that no Appointment was ever effective), but the delivery of the Administration Operations shall continue until the earlier of the Expiry Date and the date the Contract is terminated. For the avoidance of doubt, the existence of the Contract, and the provision of Services, does not automatically imply that an Appointment is in force.

7.6.      On the termination of the Contract, DPR’s Appointment as Data Protection Representative will immediately cease and, to the extent that DPR continues to provide any other services to You, these are provided on a reasonable endeavours basis as an administrative service and not as Data Protection Representative. To the extent not already done, and other than to the extent permitted or required for legal/archival purposes, DPR will delete the Personal Data relating to You and those Data Subjects related to You.

7.7.      Notwithstanding the remainder of this clause 7, on Your written application and DPR’s written agreement, DPR may suspend their termination of the Appointment or the Contract, either partly or in full, to allow You the opportunity to dispute a Regulatory Action or other finding that You are in breach of an Applicable Law. In the event that Your dispute fails, termination of the Appointment is deemed backdated to the time it would have terminated had such suspension not been agreed and, although DPR shall be liable to You for actions and omissions during a period when the Appointment is suspended, DPR’s liability as Data Protection Representative shall be suspended during the period the Appointment is suspended.

7.8.      In the event the Contract and/or the Appointment are terminated prior to the Expiry Date, no refund of any Fees will be due.

7.9.      If DPR has not commenced their Appointment (in line with clause 3.1), or the conditions for the commencement of a Renewal Period (as set out in clause 7.3) have not been met, DPR does not accept any purported Appointment by You to the role of Data Protection Representative. In the event You identify DPR as Your Data Protection Representative, or continue to do so, during a time which DPR has not accepted such an Appointment:
a.    DPR does not accept the role of Data Protection Representative for You and will not undertake any operations which may imply they have accepted such an Appointment (and, if any such operations are undertaken by DPR, acting at their discretion, such operations are provided on a reasonable endeavours basis as a provider of administrative services and not as a Data Protection Representative);
b.    if DPR subsequently accepts Your Appointment, You shall be liable to pay DPR a pro-rata Appointment Fee for the time during which You have identified DPR as Your Data Protection Representative (and, if that time cannot be adequately proven, the date from which such Appointment Fee shall be paid back to shall be the later of (i) 25 May 2018 and (ii) the date the appointment of Your previous Data Protection Representative expired); and
c.    notwithstanding the remainder of these Terms and/or the Contract, You indemnify DPR for any liability which arises as a result of identifying DPR as Your Data Protection Representative when DPR has not accepted this role.


8.         Liability, Warranty and Indemnity

8.1.      You indemnify DPR for any liability it incurs pursuant to the Appointment as a result of Your actions or omissions in respect of GDPR and the Applicable Laws. You acknowledge that this is reasonable and proportionate given that, other than obtaining Your warranty to that effect in these Terms, DPR has no way of assessing or control over Your compliance with GDPR or Applicable Laws.

8.2.      Where You comprise of more than one entity (e.g. where the Appointment is for more than one corporate entity, identified by such entities being listed in the Order), each entity for which DPR acts as Data Protection Representative is jointly and severally liable to DPR under the Contract for the actions and/or omissions of each and every other entity under that Appointment.

8.3.      DPR does not provide advice to You in respect of obligations under GDPR or other Applicable Laws and, to the extent that DPR provides You with any information in respect of Applicable Laws generally or in respect of a Data Request or Regulatory Action, that information is general and/or based on publicly-available sources of information. You acknowledge that such information does not take into consideration Your specific situation and circumstances and You agree that You always seek the advice of a legal and/or other relevant professional before proceeding in respect of GDPR, Applicable Laws, Data Requests, Regulatory Actions and/or other similar legal obligations or proceedings.

8.4.      Whilst DPR will have access to the Personal Data of a Requestor, You agree not to supply DPR with any other Personal Data and, to the extent that You do supply DPR with such other Personal Data, You indemnify DPR for any claim made by a Data Subject, Data Protection Authority or other third party in respect of DPR’s possession of that Personal Data.

8.5.      Notwithstanding anything in these Terms or a Contract, DPR shall not be liable to You for any consequential or indirect losses including, without limitation, loss of profits, loss of reputation, legal costs, fines under Applicable Laws and any event which is out of the control of DPR (e.g. fire, flood, industrial action, loss of service etc).

8.6.      Where DPR arranges for consultancy/advice etc. in respect of Your compliance with GDPR, the Applicable Laws or any other compliance matter, such consultancy/advice is provided pursuant to a contractual relationship between You and a third-party consultant/advisor, and DPR accepts no liability for the actions or omissions of that third party. Notwithstanding the remainder of these Terms or a Contract, DPR’s maximum aggregate liability to You for the advice of third parties is limited to the sum which DPR received from the third party for introducing them to You, if any.

8.7.      Other than as required by the delivery of the Services, DPR does not, and is not expected to, represent You in any general or specific manner. Other than as required by the Appointment, these Terms or the Order, DPR Group reserves the right not to enter into or accept communications from any third party on behalf of or for You and, if DPR Group agrees with You to act in respect of such communications, separate Fees will be agreed for the provision of such communications (and in the absence of agreement, the Fee for each communication shall be Your usual Fee calculated in accordance with clause 4.4, plus the standard additional Fee for non-Appointment communication of €40). DPR Group shall have no liability to You for any communication or activity outside of the Services.
8.8.    Subject to clause 8.6, DPR’s maximum aggregate liability to You for all matters relating to the Contract, Appointment or otherwise is limited to €1,000,000 (one million Euros), other than for death, personal injury, fraud and such other occurrences for which liability cannot be limited by law.

9.         General provisions

9.1.      No variation to the Contract or these Terms shall be valid unless agreed by both Parties in writing (which shall include email).

9.2.      You may not assign or otherwise transfer the benefit or burdens of the Contract. DPR may use selected third parties to provide delivery of the Services.

9.3.      The Parties agree that these Terms and the Contract are governed by the laws of England and Wales and are subject to the courts of England, and any terms implied into these Terms or the Contract to the contrary shall be excluded to the maximum extent permitted.

9.4.      If any provision of these Terms or the Contract is found to be unenforceable, it shall be considered severed from the Contract to the extent required to make the Contract enforceable and, unless prohibited, equivalent terms shall be deemed included in the Contract which are as close as permitted to the original intention of the severed provision.

9.5.      No third party may enforce any provision of these Terms or the Contract by virtue of the Contracts (Rights of Third Parties) Act 1999 or any other method.

9.6.      No failure by DPR to exercise, or delay in exercising, any right in the Contract shall be deemed a waiver of that or any other right, nor shall any partial exercise of a right preclude any further or other exercise of that or any other right.

9.7.      These Terms and the Contract have been drafted in the English language. If these Terms, an Order or any other part of the Contract is translated into another language, the English language text prevails.

9.8.      Any notice, demand, request, statement, instrument, certificate or other communication given, delivered or made by a Party to the other, under or in connection with a Contract, shall be in writing and may be served by email (in the case of DPR to, in the case of You to the email address You have most recently provided) or by hand / prepaid first class post to the registered address of the addressee Party and shall be in English language. Fax shall not be an adequate method of providing notice.

9.9.      These Terms supersede all previous written or other documents or agreements (written or oral) relating to the subject matter of these Terms, including any terms You or Your documentation seek to infer into the Contract, and You acknowledge that (a) in the absence of the applicability of these Terms, the Appointment of DPR as Your Data Protection Representative under clause 3.2 is ineffective, and (b) that no other document provides terms satisfactory to DPR for entering into such an Appointment. These Terms are subject to update at DPR’s discretion, and any Renewal Period for which a Contract is concluded shall be based on the Terms applicable at the start of that Renewal Period, available for review at

9.10.    Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between the Parties, constitute any Party the agent of another Party, or authorise any Party to make or enter into any commitments for or on behalf of any other Party.

SCHEDULE 1 – Countries of incorporation where a Credit Check Fee will not be charged: 
Afghanistan, Albania, Argentina, Armenia, Australia, Austria, Azerbaijan, Bangladesh, Belarus, Belgium, Bosnia and Herzegovina, Brazil, Bulgaria, Cambodia, Canada, Chile, China, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Greece, Greenland, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Italy, Kazakhstan, Kosovo, Kyrgyzstan, Lao (People's Democratic Republic), Latvia, Liechtenstein, Lithuania, Luxembourg, Macedonia (The Former Yugoslav Republic of), Malaysia, Malta, Mexico, Moldova (Republic of), Montenegro, Myanmar, Nepal, Netherlands, New Zealand, Norway, Pakistan, Poland, Portugal, Romania, Russian Federation, Serbia, Singapore, Slovakia, Slovenia, South Korea, Spain, Sri Lanka, Svalbard And Jan Mayen, Sweden, Switzerland, Taiwan, Tajikistan, Thailand, Turkmenistan, Ukraine, United Kingdom, United States, Uzbekistan, Vietnam

Version 2.3 (with effect from 14 February 2020)


12 Northbrook Road,





©2019 BY DPR