As the Brexit uncertainty comes to an end with the passing of the withdrawal agreement bill, the uk will enter a period of transition until 31st December 2020.
Data controllers or processors subject to the GDPR as per its Article 3(2) are under the obligation to designate a representative in the Union. A controller or processor not established in the Union but subject to the GDPR failing to designate a representative in the Union would therefore be in breach of the Regulation.
What is ‘a representative’ and who does it apply to?
A representative is a local point of contact for the organisation they represent, who can communicate with individuals and data protection authorities on behalf of the organisation in relation to data protection matters.
The GDPR requires organisations not established in the EU to appoint a representative in an EU member state, if the organisation monitors the behaviour of individuals in the EU, or if it is apparent that the organisation intends to offer goods or services to individuals in the EU. Following Brexit, organisations in the UK will be subject to the same requirements, as they will no longer be established in the EU.
In addition to this, , organisations not based in the UK who are offering goods or services to individuals in the UK or monitoring their behaviour will be required to appoint a UK representative, in order to comply with UK data protection law. This has been confirmed by the Information Commissioner’s Office, which has stated that ”the UK government intends that after UK leaves the EU, the UK GDPR will require organisations located outside of the UK, but which still have to comply with the UK GDPR, to appoint a UK representative”.
What does this mean in practice for organisations?
Currently, organisations based in the UK do not require a representative in the EU and organisations established in other EU countries do not need a representative in the UK. Following the Brexit transition period, this will change:
- Organisations established outside the EU and the UK: currently, these organisations require one representative based in the EU. Following Brexit, these organisations will need an additional representative. If the organisation’s current EU representative is based in the UK, but the organisation sells to or monitors individuals in the EU, an additional EU representative will be required to comply with the GDPR. If the organisation’s current representative is based in another EU member state, but the organisation sells to or monitors individuals in the UK, a UK representative will be required to comply with UK law.
Alternatively, it may prove cost-effective to appoint an outsourced representative with establishments in both the EU and the UK which can act on the organisation’s behalf in both cases.
- Organisations established in the UK: organisations established in the UK but which offer goods or services to, or monitor, individuals in the EU will need to appoint a representative in an EU country following Brexit.
- Organisations established in other EU countries: organisations established in the EU but not in the UK, which offer goods or services to, or monitor, individuals in the UK will need to appoint a representative in the UK following Brexit. This will be needed in order to comply with UK law.
What do you need consider when appointing an EU and/or a UK representative?
- Assess where you need a representative (UK and/or EU) considering your current and future business operations
- Consider whether your business foresees an expansion which will lead to a new market. Will you need a representative in the UK and/or the EU as a result of this?
- Find the best business option to minimise the cost of appointing representative(s) (e.g. a representative located in the jurisdiction required).
- While a UK representative is relatively straightforward in terms of the representative’s location, non-EU organisations will need to assess carefully when choosing where to appoint their EU representative.
- If an organisation processes data from individuals in multiple EU countries, the representative must remain easily accessible to the individuals in all those countries, and must be able to communicate in the language used by the individuals and supervisory authorities of each of those countries.
An outsourced representative with an international presence will make it easier to have a representative easily accessible to individuals and supervisory authorities in different countries, with the language skills required to communicate with them.