Brexit and particularly the legal and political back and forth of the past years have strained a lot of company resources and often left executives puzzled about the legal requirements to expect. Regardless of whether or not the EU and the UK reach an agreement on the future trade relations by the end of 2020, when it comes to data protection, one thing is clear for now:
The regimes of data protection laws will split, as the EU GDPR ceases to apply in the UK, having the effect that many UK-based companies will need to appoint an EU GDPR representative under Art. 27 EU GDPR, and – vice versa – many EU-based companies will need to appoint a UK GDPR representative pursuant to Art. 27 of the new UK GDPR, with the transitional period ending as of 1 January 2021.
The need for Data Protection Representatives under EU and UK law depend on where the company is located, or, at least, maintains offices, branches, and subsidiaries. A company is only required to appoint an EU GDPR Representative if it is not physically present in the EU, and a UK GDPR representative if it has no offices in the UK.
EU GDPR Representative for UK companies
Which British companies need to appoint an EU Representative under Art. 27 EU GDPR?
UK companies without establishments in any of the EU member states will need to appoint an EU GDPR Representative as of 1 January 2021, if they process personal data of individuals that are located in the EU (regardless of their citizenship) in a way that falls within the extraterritorial scope of the EU GDPR. The EU GDPR applies to UK companies if the processing of personal data from individuals in the EU relates to either the offering of goods or services (even if provided for free) to such data subjects in the EU, or if the company monitors the behaviour of EU data subjects.
Examples of typical use cases triggering the EU GDPR Representative requirement include the provision of financial, business and legal services to EU citizens, online retail, marketing and adtech products, cloud vendors and SaaS, transportation and aviation, clinical trials, health and diagnostic services, cookie-based advertisement, as well as digital services, such as mobile apps and online communities. You can learn more about the international scope of the GDPR here, or simply take our online test to find out if your company needs an EU Representative.
Exceptions from the obligation to appoint an EU Representative apply to public authorities and bodies, and to data processing by companies "which is occasional, does not include, on a large scale, processing of special categories of data" (as defined in Articles 9 and 10 of the EU GDPR) and "is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing". Given the fact that the conditions must be met cumulatively, the exception is rather narrow and cannot be applied to companies that maintain data flows with the EU on a regular basis.
What is the role of an EU Representative for UK companies?
According to Article 27 of the EU GDPR, the EU Representative is mandated by the data controller or processor "to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to [data] processing". Hence, the Representative acts as a local point of contact for matters of data protection and privacy, and receives communications from data protection supervisory authorities in official proceedings, as well as, for example, requests from data subjects to exercise their GDPR rights (access request, right to be forgotten, etc.). In Germany, service of process to the EU Representative in civil proceedings has legal effect for the represented company.
To this end, the contact details of the EU Representative must be published in the company's privacy policies in accordance with Articles 13 and 14 EU GDPR. The EU Representative must be established in one of the EU member states where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. It shall be designated in writing. The EU Representative keeps a copy of the company's Records of Processing Activities (Article 30 EU GDPR), which is basically a data mapping spreadsheet, reflecting the business operations subject to the EU GDPR. Upon request of EU supervisory authorities, the EU Representative must cooperate with them and disclose the Article 30 documentation.
According to the European Data Protection Board, the appointment of an EU Representative leads to a one stop shop for data breach reporting under Article 33 EU GDPR. Instead of addressing up to 43 different authorities in the EU, companies with an appointed EU Representative need to submit the notification to one single authority, even if the breach affects data subjects in all EU countries.
What are the risks of non-compliance for UK companies?
Companies that must appoint an EU representative but fail to do so can be fined with administrative penalties of up to 10 mio. € or 2%of the total worldwide annual turnover, whichever is higher. Also, as it is not finally clear whether companies may be liable towards competitors, non-compliance bears further litigation risks, and reputational damages to the brands in case of public attention and media coverage.
What does the EU GDPR Representative Service of EU-REP.Global include?
EU-REP.Global specializes in effective, lean and transparent EU Representative services. We help you compile the necessary documentation (Article 30 GDPR), implement the changes into your privacy policies, and render second-level support for handling incoming requests on a flat fee basis. Please click here to learn more about the scope of our services and pricing.
Trusted by
UK GDPR Representative for EU companies
Which EU companies need to appoint a UK Representative under Art. 27 UK GDPR?
An EU company without an establishment in the UK will need to appoint a UK GDPR Representative as of January 1, 2021, if it processes personal data of individuals that are located in the UK (regardless of their citizenship) in a way that falls within the extraterritorial scope of the UK GDPR. The UK GDPR applies to EU companies if the processing of personal data from UK data subjects relates to either the offering of goods or services (even if provided for free) to such data subjects, or if the company monitors the behaviour of UK data subjects.
Examples of typical use cases triggering the UK GDPR Representative requirement include the provision of financial, business and legal services to UK citizens, online retail, marketing and adtech products, cloud vendors and SaaS, transportation and aviation, clinical trials, health and diagnostic services, cookie-based advertisement, as well as digital services, such as mobile apps and online communities. You can learn more about the international scope of the EU GDPR here - the very same concept applies with regard to the UK GDPR respectively.
Exceptions from the obligation to appoint an UK Representative apply to public authorities and bodies, and to data processing by companies "which is occasional, does not include, on a large scale, processing of special categories of data" (as defined in Articles 9 and 10 of the UK GDPR) and "is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing". Given the fact that the conditions must be met cumulatively, the exception is rather narrow and cannot be applied to companies that maintain data flows with the UK on a regular basis.
What is the role of a UK Representative for EU companies?
According to Article 27 of the UK GDPR, the EU Representative is mandated by the data controller or processor "to be addressed in addition to or instead of the controller or the processor by, in particular, the [British Information] Commissioner and data subjects, on all issues related to [data] processing". Hence, the Representative acts as a local point of contact for matters of data protection and privacy, and receives communications from the British data protection supervisory authority in official proceedings, as well as, for example, requests from data subjects to exercise their UK GDPR rights (access request, right to be forgotten, etc.).
To this end, the contact details of the UK Representative must be published in the company's privacy policies in accordance with Articles 13 and 14 UK GDPR. The Representative must be established in in the UK and shall be designated in writing. The UK Representative keeps a copy of the company's Records of Processing Activities (Article 30 UK GDPR), which is basically a data mapping spreadsheet, reflecting the business operations subject to the UK GDPR. Upon request, the UK Representative must cooperate with the British Information Commissioner's Office and disclose the Article 30 documentation.
What are the risks of non-compliance for EU companies?
Companies that must appoint a UK representative but fail to do so can be fined with administrative penalties of up to £8.7 mio. or 2%of the total worldwide annual turnover, whichever is higher. Futhermore, non-compliance bears the risk of reputational damages to the brands in case of public attention and media coverage.
What does the UK GDPR Representative Service of EU-REP.Global include?
EU-REP.Global specializes in effective, lean and transparent UK Representative services. With our British partners, we help you compile the necessary documentation (Art. 30 UK GDPR), implement the changes into your privacy policies, and render second-level support for handling incoming requests on a flat fee basis.
We have no offices in the EU and the UK at all – do we need GDPR Representatives?
Yes, if your company falls within the extraterritorial scope of the EU GDPR and / or the UK GDPR. For companies that maintain business relations with both the EU and the UK (and are based in, for example, the United States, Canada, China, Japan, or Israel), EU-REP.Global offers discounted solutions to cover both requirements. Click here to learn more about how the EU GDPR affects companies on other continents, or take our online test to find out if the EU Representative requirement applies to your business by answering only 4 questions.
