Simon Stokes, a partner in our technology team, looks at the impact of Article 27 of the EU GDPR on UK businesses.
Brexit does not necessarily mean your business can forget about European data protection law (the EU GDPR). If you are based in the UK but don’t have any offices, branches or other establishments in the EU/EEA, your primary concern will be to comply with the UK GDPR – how the GDPR will apply in the UK after the transition period ends. But even if you have no physical presence in the EU/EEA then the EU GDPR can still continue to apply to you. This includes if you are processing the personal data of individuals (including sole traders but not companies) in the EU/EEA that relates either to:
- Offering goods or services to individuals in the EU/EEA – for example through an e-commerce platform; or
- Monitoring the behaviour of individuals in the EU/EEA – for example through the use of CCTV, health analytics services, cookies that track user behaviour or by the use of wearable or smart devices.
Representative in the EU/EEA
Given the UK GDPR and the EU GDPR are pretty much the same that isn’t necessarily a problem as long as you are GDPR-compliant. But what may surprise you is that unless your processing is both “occasional” and unlikely to result in a risk to individual’s data protection rights and freedoms, then you will need to appoint a representative in the EU/EEA under Article 27 of the EU GDPR.
This is not a new requirement – it has been in the EU GDPR throughout – and US companies, for example, processing the data of EU citizens have had to have regard to it. What’s new for the UK is that once we become a third country – outside of the EU data protection regime – once the transitional period ends – we too will be treated like the US by Europe.
The Article 27 representative will act as a point of contact within the EU/EEA for individuals and EU regulators who want to contact you.
You only need to appoint one representative in the EU/EEA. If you focus on one EU/EEA state then you are best advised to appoint a representative there. Otherwise it can be in any state where the individuals whose data you are processing reside.
You will need to have written terms of appointment with your EU/EEA representative authorising them to act on your behalf relating to your EU GDPR compliance and dealing with any regulators or individuals in that respect. Appointing a representative does not affect your own responsibility or liability under the EU GDPR.
Your representative can be an individual, a company or an organisation in the EU/EEA who is able to represent you as regards your EU GDPR obligations – this might be under a simple service contract for example or another arrangement more suitable given the circumstances.
How can Blake Morgan help?
As a UK-based law firm Blake Morgan is working with members of our international legal networks TAGLaw and the euroITcounsel to assist clients who need an EU representative. For more information please contact us.
Enjoy That? You Might Like These: