Businesses based in mainland Europe may need to appoint a UK-based representative to handle data protection matters on their behalf from December 31 2020.
The UK government confirmed. that some non-UK data controllers will be obliged to appoint a UK-based representative under new data protection regulations being prepared for a potential ‘no deal’ Brexit.The UK regulations, which would only apply if an agreement on the terms of the UK’s withdrawal from the EU has not been ratified by the time the UK exits, will “replicate” provisions contained in the General Data Protection Regulation (GDPR), it said.
As well as applying to the processing of personal data by organisations established in the EU, the GDPR also applies to the processing of personal data of data subjects in the EU by organisations based outside of the Union where the processing relates to the offering of goods or services to those individuals or the monitoring of their behaviour as far as their behaviour takes place within the Union. The GDPR’s extra-territorial effects is confirmed in Article 3(2).
In such cases, non-EU based companies are generally required to designate an EU-based representative unless an exemption applies. The representatives are required to address all issues related to the data processing by the non-EU business that is subject to the EU’s data protection regime “for the purposes of ensuring compliance” with those rules. This includes liaising with data protection authorities or data subjects on the business’ behalf.
The duty to appoint a representative does not apply to public authorities or if the processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
In its guidance note, the UK government said it “intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK”.
In addition, EU standard contractual clauses, which also facilitate data transfers, are to be recognised in UK law, with the Information Commissioner’s Office (ICO) given powers to issue new data protection clauses, the government said.
Further regulations will also allow businesses that have had ‘binding corporate rules’ (BCRs) authorised before Brexit to rely on those BCRs for data transfers post-Brexit, it said. The ICO will continue to be able to authorise new BCRs under domestic law after Brexit, it said.