GDPR and Brexit – do you need to appoint a representative in the EU?


10th December 2020

We look at the impact of Article 27 of the EU GDPR on UK businesses.

Brexit does not necessarily mean your business can forget about European data protection law (the EU GDPR).  If you are based in the UK but don’t have any offices, branches or other establishments in the EU/EEA, your primary concern will be to comply with the UK GDPR – how the GDPR will apply in the UK after the transition period ends.  But even if you have no physical presence in the EU/EEA then the EU GDPR can still continue to apply to you.  This includes if you are processing the personal data of individuals (including sole traders but not companies) in the EU/EEA that relates either to:

  • Offering goods or services to individuals in the EU/EEA – for example through an e-commerce platform; or
  • Monitoring the behaviour of individuals in the EU/EEA – for example through the use of CCTV, health analytics services, cookies that track user behaviour or by the use of wearable or smart devices.

Representative in the EU/EEA

Given the UK GDPR and the EU GDPR are pretty much the same that isn’t necessarily a problem as long as you are GDPR-compliant.  But what may surprise you is that unless your processing is both “occasional” and unlikely to result in a risk to individual’s data protection rights and freedoms, then you will need to appoint a representative in the EU/EEA under Article 27 of the EU GDPR.

This is not a new requirement – it has been in the EU GDPR throughout – and US companies, for example, processing the data of EU citizens have had to have regard to it.  What’s new for the UK is that once we become a third country – outside of the EU data protection regime – once the transitional period ends – we too will be treated like the US by Europe.

The Article 27 representative will act as a point of contact within the EU/EEA for individuals and EU regulators who want to contact you.

You only need to appoint one representative in the EU/EEA.  If you focus on one EU/EEA state then you are best advised to appoint a representative there.  Otherwise it can be in any state where the individuals whose data you are processing reside.

You will need to have written terms of appointment with your EU/EEA representative authorising them to act on your behalf relating to your EU GDPR compliance and dealing with any regulators or individuals in that respect.  Appointing a representative does not affect your own responsibility or liability under the EU GDPR.

Your representative can be an individual, a company or an organisation in the EU/EEA who is able to represent you as regards your EU GDPR obligations – this might be under a simple service contract for example or another arrangement more suitable given the circumstances.

You will need to inform regulators and individuals in the EU/EEA that you have such a representative by including details in your privacy policy and on your website, for example.

How can Blake Morgan help?

As a UK-based law firm Blake Morgan is working with members of our international legal networks TAGLaw and the euroITcounsel to assist clients who need an EU representative.  For more information please contact us.

Tags:

Sign up for our mailings

Register here

Enjoy That? You Might Like These:


articles

18 November -
Crises aren’t new for in-house legal teams, and of late we’ve seen widespread IT outages, sudden regulatory changes, elections, and political unrest. As in-house teams respond to an increasing number... Read More

articles

31 October -
The Autumn Budget 2024 saw significant tax changes, and, particularly, to Inheritance Tax (IHT), Capital Gains Tax (CGT), and Stamp Duty Land Tax (SDLT). We briefly summarise what you need... Read More

articles

31 October -
The Autumn Budget 2024 saw history being made as Rachel Reeves who became the first female to hold the office of Chancellor set out arguably the biggest tax changes for... Read More