January 2020 update - GDPR requirement for an EU representative
Leaving the EU does not mean that all EU legislation would cease to have effect in the UK, including the EU's General Data Protection Regulation 2016 ("GDPR"). Organisations looking to transact business in the EU will have to comply with the GDPR if their activities require them to process the personal data of EU data subjects. Please refer to our recent article on the international transfer of personal data.
One example of an obligation that applies to non-EU states is the requirement under Article 27 of the GDPR to have a European representative where a controller or processor offers goods or services to individuals in the EU or monitors the behaviour of individuals located in the EU.
When the UK fully departs the EU (whether at the end of a transition period on 31 December 2020 or earlier in the event of a no-deal Brexit), controllers and processors in the UK are likely to have to appoint a representative in an EU member state if they wish to continue offering their services anywhere in the EU.
A controller or processor would not need to appoint a representative under the following circumstances:
- they are a public authority; or
- the processing of personal data they are undertaking is occasional and of low risk and does not involve large scale processing of special category personal data or criminal offence data.
We recommend that legal advice is sought to determine whether there is a requirement to appoint a representative. Where there is such a requirement and the controller or processor fails to do so, the fine under the GDPR is up to the greater of €10million or 2% of the organisation's total worldwide annual turnover.
Appointing a representative
If it is necessary to appoint a representative in the EU, this representative can only be based in an EU state where some of the individuals whose personal data is being processed are located. For example, if a UK company is processing the personal data of people located in France, Germany and Italy, then its representative can only be based in either France, Germany or Italy, and not in any other EU state.
The representative must be authorised in writing to act on behalf of the UK controller or processor in respect of:
- EU GDPR compliance;
- dealing with any supervisory authority regarding GDPR compliance;
- dealing with data subjects regarding GDPR compliance.
A "representative" can be an individual, a company or an organisation (e.g. a law firm). They must be able to represent the controller or processor in relation to their obligations under the GDPR. This requires an understanding of the obligations, as well as having the appropriate measures in place to ensure compliance.
Representatives are required under the GDPR to maintain a record of processing activities. Article 30 of the GDPR sets out the requisite information and states that records must be in writing. These are to be made available to the supervisory authority on request.
It should be noted in particular that the concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall outside the jurisdictional reach of enforcement bodies. To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. Recital 80 and European Data Protection Board Guidance states that in the event of non-compliance by the controller or processor, the designated representative should be subject to enforcement proceedings, including fines. There is little or no explanatory guidance as to the degree to which representatives carry this responsibility.
Representatives will need to consider how they can protect themselves in the event they are subject to enforcement proceedings, whether by means of insurance or through the controller or processor providing an indemnity in the contract of appointment to cover any loss incurred due to their non-compliance.
No deal or transition period
If the UK leaves on 31 January with a deal which has a transition period a UK representative should still be adequate during this time-frame.
Admittedly, at the time of writing a no-deal Brexit is looking less likely. However, in the event of a no-deal Brexit, "representation" requires immediate consideration from UK-based controllers or processors to ensure compliance.