GDPR and Brexit – do you need to appoint a representative in the EU?


10th December 2020

Simon Stokes, a partner in our technology team, looks at the impact of Article 27 of the EU GDPR on UK businesses.

Brexit does not necessarily mean your business can forget about European data protection law (the EU GDPR).  If you are based in the UK but don’t have any offices, branches or other establishments in the EU/EEA, your primary concern will be to comply with the UK GDPR – how the GDPR will apply in the UK after the transition period ends.  But even if you have no physical presence in the EU/EEA then the EU GDPR can still continue to apply to you.  This includes if you are processing the personal data of individuals (including sole traders but not companies) in the EU/EEA that relates either to:

  • Offering goods or services to individuals in the EU/EEA – for example through an e-commerce platform; or
  • Monitoring the behaviour of individuals in the EU/EEA – for example through the use of CCTV, health analytics services, cookies that track user behaviour or by the use of wearable or smart devices.

Representative in the EU/EEA

Given the UK GDPR and the EU GDPR are pretty much the same that isn’t necessarily a problem as long as you are GDPR-compliant.  But what may surprise you is that unless your processing is both “occasional” and unlikely to result in a risk to individual’s data protection rights and freedoms, then you will need to appoint a representative in the EU/EEA under Article 27 of the EU GDPR.

This is not a new requirement – it has been in the EU GDPR throughout – and US companies, for example, processing the data of EU citizens have had to have regard to it.  What’s new for the UK is that once we become a third country – outside of the EU data protection regime – once the transitional period ends – we too will be treated like the US by Europe.

The Article 27 representative will act as a point of contact within the EU/EEA for individuals and EU regulators who want to contact you.

You only need to appoint one representative in the EU/EEA.  If you focus on one EU/EEA state then you are best advised to appoint a representative there.  Otherwise it can be in any state where the individuals whose data you are processing reside.

You will need to have written terms of appointment with your EU/EEA representative authorising them to act on your behalf relating to your EU GDPR compliance and dealing with any regulators or individuals in that respect.  Appointing a representative does not affect your own responsibility or liability under the EU GDPR.

Your representative can be an individual, a company or an organisation in the EU/EEA who is able to represent you as regards your EU GDPR obligations – this might be under a simple service contract for example or another arrangement more suitable given the circumstances.

You will need to inform regulators and individuals in the EU/EEA that you have such a representative by including details in your privacy policy and on your website, for example.

How can Blake Morgan help?

As a UK-based law firm Blake Morgan is working with members of our international legal networks TAGLaw and the euroITcounsel to assist clients who need an EU representative.  For more information please contact us.

Tags:

Sign up for our mailings

Register here

Enjoy That? You Might Like These:


articles

26 February - Tim Coles
What are the key points to bear in mind when it comes to selling your business? We look at how best to get your house in order for private company... Read More

articles

22 February - Tim Coles
In the hustle and bustle of setting up your own business, certain items can be overlooked for ease or to save costs. You might think, why do I need a... Read More

newsletters

16 February - Cathrine Bryant
Welcome to our Tax Insights bulletin for this quarter and the first one for 2021.   There is a lot to talk about and a lot of developments that require us... Read More