Handling EU data subjects' personal data post-Brexit: open an office or appoint a representative?
UK-based businesses are now having to deal with a raft of issues that come with the UK being a "third country" for the purposes of the EU General Data Protection Regulation 2016 ("the GDPR").
Organisations looking to transact business in the EU will have to comply with the GDPR if their activities require them to process the personal data of EU data subjects.
One example of an obligation that applies to non-EU states is the requirement under Article 27 of the GDPR to have a European representative where a controller or processor offers goods or services to individuals in the EU or monitors the behaviour of individuals located in the EU.
When the UK is no longer deemed to be an EU-member state at 11pm on 31 December, controllers and processors in the UK are likely to either have to:
- rely on an establishment in the EU (i.e. a physical presence in the EU such as an office); or
- appoint a representative in an EU member state if they wish to continue offering their services anywhere in the EU.
A controller or processor would not need to appoint a representative under the following circumstances:
- they are a public authority; or
- the processing of personal data they are undertaking is occasional and of low risk and does not involve large-scale processing of special category personal data or criminal offence data.
We recommend that legal advice is sought to determine whether there is a requirement to appoint a representative. Where there is such a requirement and the controller or processor fails to do so, the fine under the GDPR is up to the greater of €10million or 2% of the organisation's total worldwide annual turnover.
Appointing a representative
If it is necessary to appoint a representative in the EU, this representative can only be based in an EU state where some of the individuals whose personal data is being processed are located. For example, if a UK company is processing the personal data of people located in France, Germany and Italy, then its representative can only be based in either France, Germany or Italy, and not in any other EU state.
The representative must be authorised in writing to act on behalf of the UK controller or processor in respect of:
- EU GDPR compliance.
- dealing with any supervisory authority regarding GDPR compliance.
- dealing with data subjects regarding GDPR compliance.
A "representative" can be an individual, a company or an organisation (e.g. a law firm). They must be able to represent the controller or processor in relation to their obligations under the GDPR. This requires an understanding of the obligations, as well as having the appropriate measures in place to ensure compliance.
Representatives are required under the GDPR to maintain a record of processing activities. Article 30 of the GDPR sets out the requisite information and states that records must be in writing. These are to be made available to the supervisory authority on request.
It should be noted in particular that the concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall outside the jurisdictional reach of enforcement bodies. To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. Recital 80 and European Data Protection Board Guidance state that in the event of non-compliance by the controller or processor, the designated representative should be subject to enforcement proceedings, including fines. There is little or no explanatory guidance as to the degree to which representatives carry this responsibility.
Representatives will need to consider how they can protect themselves in the event they are subject to enforcement proceedings, whether by means of insurance or through the controller or processor providing an indemnity in the contract of appointment to cover any loss incurred due to their non-compliance.