공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a number of senior roles in the Foreign Office including Deputy Ambassador to China and a Director responsible for economic diplomacy and Emerging Powers. She also has worked on global trade policy and international issues.

Businesses that operate outside of the UK must comply with UK privacy laws. They must choose an official in the UK who will be their point of contact for data subjects and ICO.

What is an UK representative?

The UK Representative is an individual, company or organisation mandated in writing by a processor or controller of data to act on their behalf in all matters around GDPR compliance. They will be the main contact point for inquiries from data subjects exercising their rights, or requests from supervisory authorities and may also be subject to national requirements which have been implemented in light of the GDPR's extraterritorial reach (see the UK case Rondon v LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of a representative. The requirement applies to any organization that does not have its own place of business within the United Kingdom and that offers goods or services to or monitors the behaviour of individuals residing in the United Kingdom, or that handles personal data of these individuals. The Representative must be able proof of their identity and that they are capable of representing the controller or processor of data in relation to the UK GDPR's requirements.

The Representative must also be able to communicate with authorities in the event of an incident. The Representative must notify the supervisory authority that appointed them, regardless of whether the breach affects data subjects across multiple jurisdictions.

It is recommended that your chosen Representative has experience working with both European and UK-based authorities for data protection. It is also desirable that they are fluent in the local language as they are likely to receive calls from both individuals and data protection authorities in the countries where they work.

Although the EDPB states that the Representative will be held accountable in the event of non-compliance the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has established that a Representative cannot be sued by an individual for the data controller's apparent failure to adhere to the UK GDPR. This is due to the fact that, according to the court the Representative has no direct link to the data processing activities carried out by the representative entity.

Who is required to appoint the UK Representative?

To comply with the EU GDPR, businesses that are not part of the EU that are targeting goods or services towards European citizens but do not have an office, branch or establishment in the EU must appoint an EU Representative. This is in addition to the requirements from national laws on data protection. The role of a Representative is to be an individual point of contact for individuals and supervisory authorities regarding GDPR compliance issues.

The UK has its own version to the EU requirement, set out in Article 27 of the UK-GDPR. Similar to the EU requirement, the threshold is low: any organisation that offers products or services to, or monitors the behaviour of data subjects within the UK must appoint an UK representative.

Under the UK-GDPR, a Representative must be appointed in writing "to be addressed, in addition or alternatively, addressed on behalf of the controller or processor, by data subjects and the [British Information Commissioner's Office]". They are not able to be held personally liable for the GDPR's compliance. However, they must cooperate with supervisory authorities in official proceedings and receive notifications from data subjects who exercise their rights (access request, right to be forgotten, etc. ).

Representatives should be located in the state of the European Union in which the individuals whose personal data are processed are resident. This is not a simple decision and requires an extensive legal and business analysis to determine the right location for an organisation. For this reason we offer an individualized service that assists companies in assessing their requirements and deciding on the most appropriate Representative option.

It is also advisable that Representatives have experience in dealing with supervisory authorities and dealing with requests from data subjects. Local language skills can also be important, as the job could involve dealing with requests from supervisory authority or data subjects in a variety of countries across Europe.

The identity of the representative should be disclosed to the data subjects by including their information in privacy policies and information provided to individuals before collecting their data (see Article 13 of the UK-GDPR). Contact information for the UK Representative should be published on your website so that supervisory authorities are able to easily reach them.

When do you have to nominate a UK Representative?

If your business is located outside of the UK and provides goods or services to the UK or monitors the behavior of individuals, you may be required to designate a UK Representative. The UK's applied EU GDPR regime applies for non-UK established companies that conduct business in the UK. It has the same reach as EU GDPR, with some exceptions. Take our free self-assessment and check if you're subject to this obligation.

A representative is appointed by the party appointing under an agreement of service to represent that party with respect to certain obligations under UK GDPR and UK Representative EU GDPR, if applicable. In the UK, the main purpose of this is to facilitate communication between the appointing party and the Information Commissioner's Office (ICO) or any other affected data subjects in the UK. Representatives can be an individual or a business that is established in the UK. The body that appoints them must inform the subjects of data that the Representative will be processing their personal information and that the identity of the individual or company is readily accessible to supervisory authorities.

The entity that is appointing the representative must provide the contact details of its avon representative to the ICO and the data subjects that are affected in the UK in accordance with Article 13 and 14 of the UK GDPR. It is imperative to make clear that a representative's role is different from the role of a Data Protection Officer (DPO) that requires a certain degree of independence and autonomy not possible for the role of a representative.

If you are required to appoint an UK representative It is advised to do so as quickly as possible. This is because the requirement will be in effect immediately after Brexit (if there is either a 'hard' or "no deal' Brexit) or after an implementation period (if there is a'soft' or "with deal" Brexit). There is no grace period.

What are the requirements to become a UK representative?

According to UK laws on data protection A representative is a person or company who is "designated" in writing by an entity that doesn't have a physical presence in the UK but is subject to the law. The UK representative should be able to represent an entity in relation to its obligations under law. Contact details for representatives should also be readily accessible to UK residents whose personal data are processed by a business that is not a UK company.

The UK Representative must be an overseas senior member of a media or business company and has been recruited and employed as an employee of the media or business entity located outside the UK. The applicant must genuinely intend to be employed full-time as the UK representative for the media or business company, and must not engage in any other business activity in the UK.

The applicant for visas also has to prove they have the expertise and experience needed to fulfill the role of a UK representative, which entails serving as a local contact point for the data subjects and UK authorities for data protection. The UK Representative must have the knowledge and understanding of UK data protection laws to be capable of responding to inquiries and requests from data protection authorities as well as individuals exercising their rights.

As the Brexit process moves forward, it is likely the UK data protection laws are going to change as time passes. At the moment, it is expected that companies from outside the UK that do business in the UK and handle personal data of individuals in the UK will be required to appoint an UK Representative.

This is because the UK GDPR mandates that all entities with no UK presence must appoint a representative under article 27 of the UK GDPR which is regarded as a national law in the UK. If you're not sure if you need a UK data protection rep It is recommended to consult an experienced legal advisor.