Door one
Market Entry
The first European customer, the first EU hire, the first analytics tag on a visitor in Berlin — each one starts a clock. Market Entry builds the compliance file that should exist before that clock starts: lawful bases under the GDPR, the Swiss overlay the GDPR cannot supply, a cookie setup that survives inspection, and the representative appointments that crossing the border triggers.
Do you need this
You need this engagement if
- Your company is outside Europe and is about to sell, advertise, or hire in the EU, Switzerland, or Norway — or quietly already does.
- A European enterprise customer sent a vendor questionnaire asking for your transfer mechanism, your Art. 28 data-processing agreement, or your breach procedure, and the honest answer is "we don't have one."
- Your website or app collects data from European users and nobody has verified what actually fires before the consent click.
- You built GDPR compliance once, years ago, and it has never been mapped to Switzerland, Norway, or the regulations the EU has added since.
Some companies need one document, not a program. If your exposure comes down to a single appointment or a cookie fix, we scope that piece alone and say so in the first call.
What it covers
Four instruments, built as one file
Nobody enters "Europe." You enter a set of overlapping regimes, and the file has to answer each one without contradicting the others. These are the four that market entry almost always puts in play.
Regulation (EU) 2016/679
GDPR
The load-bearing wall. Article 6 lawful bases assigned to every processing activity, an Article 30 record of processing, Article 28 contracts with every processor, a working answer to Articles 15–22 rights requests, and an Article 33 breach process that fits inside 72 hours. The penalty ceiling — the greater of €20 million or 4% of worldwide annual turnover — is why the documentation is written to be examined, not filed.
revFADP · in force since 1 Sept 2023
Swiss revFADP overlay
Switzerland writes its own data protection law and enforces it through its own regulator, the FDPIC. The revFADP's information duties, processing records, and transfer rules resemble the GDPR without matching it — and unlike the GDPR, several of its penalties fall on responsible individuals personally. We map the delta onto your GDPR program instead of building Switzerland twice.
Directive 2002/58/EC
ePrivacy & cookies
The ePrivacy Directive governs cookies and trackers separately from the GDPR, and it is where European enforcement most often begins, because violations are visible from the outside. Consent must come before the tag fires, refusing must cost no more clicks than accepting, and withdrawal must work. We correct the consent platform, the tag sequencing, and the record behind both.
Regulation (EU) 2023/2854 · applies from 12 Sept 2025
EU Data Act
The newest wall of the rulebook. The Data Act gives users rights over data generated by connected products and obliges cloud services to make switching possible. If your entry involves devices, telemetry, or a hosted platform, we identify which obligations attach and what your customer contracts have to say about them.
Article and regulation references identify the instruments Privello works with. They are orientation, not legal advice.
What you receive
The deliverables, by name
An engagement ends with documents on your side of the table and a team that knows how to use them. This is the standard set; scope adds or removes pieces, never blurs them.
Data Map & Gap Report
Where personal data enters, lives, and leaves the business, measured against the GDPR, the revFADP, and any sector rules in play — with every gap ranked by the risk it carries.
Art. 30 ROPA
The record of processing activities regulators ask for first. Built from interviews with the people who handle the data, so it describes your operation rather than a template's.
Notices & retention rules
Privacy notices for each market in language a customer can read, plus internal retention and minimisation rules the team can follow without a lawyer in the room.
Art. 28 DPA pack
Data-processing agreements for your processors, a sub-processor register, and Swiss-amended SCCs with the transfer impact assessment documented behind them.
Consent architecture
A cookie banner configured to the law rather than to the vendor default, tag firing corrected end to end, and a consent record that holds up when someone checks.
DSAR & Breach Playbooks
Two workflows with named owners: one that answers an Articles 15–22 rights request on time, one that gets a breach assessed and notified inside Article 33's 72 hours.
How it runs
Four steps, fixed fee
- 1. Scope. One working session on the business: which markets, which data, which systems. You leave with a written scope and a fixed fee, not an hourly meter.
- 2. Assess. The data map and gap report, built from how the operation actually runs. Urgent exposures are flagged as they surface, not saved for the final deck.
- 3. Build. The full deliverable set, drafted to fit your systems and vendors, with any representative appointments arranged alongside through established European providers.
- 4. Hand over. A working walkthrough with the people who own each playbook. The measure of success is that the program runs without us.
Start smaller
Want evidence before a program?
The fixed-price Cookie Compliance Audit examines your site the way a regulator would and returns a findings report with a remediation roadmap in about two weeks. Many Market Entry engagements start exactly there.
Common questions
Asked before nearly every engagement
We have no European office. Does the GDPR reach us anyway?
Usually, yes. Article 3(2) applies the GDPR to companies outside the EU that offer goods or services to people in the Union or monitor their behaviour — a checkout in euros, an app in an EU store, analytics on EU visitors. Once it reaches you, Article 27 typically adds the duty to appoint an EU representative.
Our GDPR program is solid. Does that cover Switzerland?
Not by itself. Switzerland is neither EU nor EEA, and the revised Federal Act on Data Protection has governed there since 1 September 2023, with its own information duties, its own transfer rules, and penalties that can attach to individuals personally. A GDPR program is the right starting material; the Swiss overlay still has to be built deliberately.
We installed a cookie banner. Are we done with ePrivacy?
A banner is the visible ten percent. The ePrivacy Directive requires consent that is prior, informed, and freely given before non-essential cookies fire — and regulators test the firing order, not the banner text. Tags that load before the click, reject buttons hidden a layer deep, and consent that cannot be withdrawn as easily as it was given are where findings actually come from.
Does the EU Data Act apply to a software company?
It can. Regulation (EU) 2023/2854 applies from 12 September 2025 and reaches connected products, related services, and cloud and data-processing services offered in the EU. If you sell devices that generate data or run a cloud platform for EU customers, it adds access, sharing, and switching obligations that sit alongside the GDPR rather than inside it.
Begin
Enter with the file already built
Tell us the markets, the data, and the timeline. One conversation is usually enough to say what has to exist before launch and what can follow it.