No-deal Brexit: GDPR requirement for an EU representative
Theresa May's draft Withdrawal Agreement has been voted down by MPs for the second time. Although further votes on how, and when, the UK will leave the EU may follow, at the time of writing a no-deal Brexit is still a possibility.
Leaving the EU (with or without a deal) does not mean that all EU legislation would cease to have effect in the UK, including the EU's General Data Protection Regulation 2016 ("GDPR"). Organisations looking to transact business in the EU will have to comply with the GDPR if their activities require them to process the personal data of EU data subjects. Please refer to our recent article on the international transfer of personal data.
One example of an obligation that applies to non-EU states is the requirement under Article 27 of the GDPR to have a European representative where a controller or processor offers goods or services to individuals in the EU or monitors the behaviour of individuals located in the EU.
When the UK leaves the EU, controllers and processors in the UK are likely to have to appoint a representative in an EU member state if they wish to continue offering their services anywhere in the EU.
A controller or processor would not need to appoint a representative under the following circumstances:
- they are a public authority; or
- the processing of personal data they are undertaking is
- only occasional;
- of low risk in relation to data protection rights; and
- does not involve special category or criminal offence data on a large scale.
We recommend that legal advice is sought to determine whether there is a requirement to appoint a representative. Where there is such a requirement and the controller or processor fails to do so, the fine under the GDPR is up to the greater of €10million or 2% of the organisation's total worldwide annual turnover.
Appointing a representative
If it is necessary to appoint a representative in the EU, this representative can only be based in an EU state where some of the individuals whose personal data is being processed are located. For example, if a UK company is processing the personal data of people located in France, Germany and Italy, then its representative can only be based in either France, Germany or Italy, and not in any other EU state.
The representative must be authorised in writing to act on behalf of the UK controller or processor in respect of:
- EU GDPR compliance;
- dealing with any supervisory authority regarding GDPR compliance; and
- dealing with data subjects regarding GDPR compliance.
A "representative" can be an individual, a company or an organisation (e.g. a law firm). They must be able to represent the controller or processor in relation to their obligations under the GDPR. This requires an understanding of the obligations, as well as having the appropriate measures in place to ensure compliance.
Representatives are required under the GDPR to maintain a record of processing activities. Article 30 of the GDPR sets out the requisite information and states that records must be in writing. These are to be made available to the supervisory authority on request.
In recital 80 of the GDPR there is also a word of warning to those appointed as representatives. Recitals are not binding, but do give an indication of what might happen in certain circumstances. Recital 80 states that in the event of non-compliance by the controller or processor, the designated representative "should" be subject to enforcement proceedings. There is little or no explanatory guidance on what such proceedings might entail: i.e. a monetary fine or enforcing compliance. Representatives will need to consider how they can protect themselves in the event they are subject to enforcement proceedings, whether by means of insurance or through the controller or processor providing an indemnity in the contract of appointment to cover any loss incurred due to their non-compliance.
UK equivalent approach
The UK government has said that it intends to adopt the same arrangement in reverse for controllers based outside the UK who wish to transact business in the UK and process UK data subjects' personal data. Proposed regulations are due to come into effect when the UK leaves the EU. This would mean that non-UK controllers would need to appoint representatives in the UK where they are processing UK personal data and fall under the relevant requirements.
Under a no-deal Brexit, "representation" requires immediate consideration from UK-based controllers or processors to ensure compliance. There are already companies offering "No Brexit, No fee" contracts in relation to appointing a representative, presumably to assist controllers and processors to implement a "plan B" if the UK leaves the EU without a deal.
Deal and transition
If the UK leaves with a deal which has a transition period a UK representative should still be adequate during this time-frame. This scenario should be monitored carefully in the light of the draft Withdrawal Agreement having been voted down twice by MPs, as any new deal may not provide the same protections.