Obligation to appoint a representative after Brexit
Do we need a Representative in the UK or the EU?
Introduction
The transition period until 31st December 2020 has ended and the UK has officially left the EU. Since then, the UK GDPR applies instead of the European directives and regulations, especially the EU GDPR.
The trade deal between the EU and the UK leads to a number of data protection compliance requirements, which should be considered by companies or organisations. Especially they may need to appoint an Article 27 representative in the UK and/or the EU.
Who needs a representative?
How to appoint a representative?
Non-EU companies need a representative in the EU under Article 27 of the EU GDPR in order to process data of individuals in the EU. Under UK law, more precisely Article 27 of the UK GDPR, non-UK based businesses have to appoint a representative in the UK, in case they are offering goods or services to individuals in the UK or monitoring their behaviour. The UK-GDPR requirement mirrors the requirement in the EU-GDPR. The requirements that establish an obligation to appoint a representative are quite low.
If those rules apply to you, you need to appoint a representative before the end of the transition period. The UK representative can be an individual, a company or an organisation that is able to represent you regarding your obligations under the UK GDPR. The agreement with the representative needs to be in writing.
Furthermore, the representative has to be identifiable. This means they must be mentioned in the privacy policy or in the information provided to data subjects before each collection of data. It is also mandatory that supervisory authorities (e.g. the ICO) can easily find out who your representative is, for example by publishing it on your website.
Having a representative will not affect your own responsibility or liability under the UK GDPR. But according to the EDPB it is possible to initiate sanctions against the representative.
Public authorities or organisations which only process data occasionally or at low risk do not need a representative pursuant Article 27 (2) of the UK GDPR.
Where should your representative
be located?
The UK Representative should be located in the UK. They serve as a first point of contact for the supervisory authority and individuals, which enable barrier-free communication. The EU Representative should be located in a member state where at least one of the data subjects is based, whose data is being processed. Note that you do not need to appoint multiple representatives if you process data of individuals in multiple member states.
As a result, since 1st January 2021, EU companies and organisations need a UK representative while UK companies and organisations need to appoint an EU representative. Companies or organisations which are neither located in the UK nor the EU need to appoint a UK and an EU representative in order to comply with the (UK) GDPR.
What happens if you do not appoint a Representative?
If a company or organisation fails to appoint a representative, fines may be imposed. The fine is 2% of the global turnover or €10.000.000, whichever is
higher.
Conclusion
Therefore, you should appoint a representative, if you fulfil the requirements mentioned above. It might also be necessary to appoint two representatives, one for the EU and one for the UK. Note the appointment of a representative should not be confused with the appointment of a data protection officer.
Please see our offers for EU-GDPR and UK-Representative and discounted bundle.