UK-based businesses are now having to deal with a raft of issues that come with the UK being a “third country” for the purposes of the EU General Data Protection Regulation 2016 (“the GDPR”).
Organisations looking to transact business in the EU will have to comply with the GDPR if their activities require them to process the personal data of EU data subjects.
One example of an obligation that applies to non-EU states is the requirement under Article 27 of the GDPR to have a European representative where a controller or processor offers goods or services to individuals in the EU or monitors the behaviour of individuals located in the EU.
When the UK is no longer deemed to be an EU-member state at 11pm on 31 December, controllers and processors in the UK are likely to either have to:
A controller or processor would not need to appoint a representative under the following circumstances:
We recommend that legal advice is sought to determine whether there is a requirement to appoint a representative. Where there is such a requirement and the controller or processor fails to do so, the fine under the GDPR is up to the greater of €10million or 2% of the organisation’s total worldwide annual turnover.
If it is necessary to appoint a representative in the EU, this representative can only be based in an EU state where some of the individuals whose personal data is being processed are located. For example, if a UK company is processing the personal data of people located in France, Germany and Italy, then its representative can only be based in either France, Germany or Italy, and not in any other EU state.
The representative must be authorised in writing to act on behalf of the UK controller or processor in respect of:
A “representative” can be an individual, a company or an organisation (e.g. a law firm). They must be able to represent the controller or processor in relation to their obligations under the GDPR. This requires an understanding of the obligations, as well as having the appropriate measures in place to ensure compliance.
Representatives are required under the GDPR to maintain a record of processing activities. Article 30 of the GDPR sets out the requisite information and states that records must be in writing. These are to be made available to the supervisory authority on request.
It should be noted in particular that the concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall outside the jurisdictional reach of enforcement bodies. To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. Recital 80 and European Data Protection Board Guidance state that in the event of non-compliance by the controller or processor, the designated representative should be subject to enforcement proceedings, including fines. There is little or no explanatory guidance as to the degree to which representatives carry this responsibility.
Representatives will need to consider how they can protect themselves in the event they are subject to enforcement proceedings, whether by means of insurance or through the controller or processor providing an indemnity in the contract of appointment to cover any loss incurred due to their non-compliance.
For further advice on this topic, please contact Tom Torkar, Partner in Michelmores’ Commercial team.