공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has served in several senior positions within the Foreign Office, including as the Deputy Ambassador for China and Director of Economic Diplomacy and Emerging Powers. She also worked on global trade policy as well as international issues of development.

Businesses located outside the UK are bound by UK privacy laws. They must designate an official in the UK who will act as their point of contact for data subjects and ICO.

What is a UK representative?

The UK Representative is a person, company or organisation that is formally mandated by a data controller or processor to act on their behalf in all matters around GDPR compliance. They will be the main contact point for any requests from data subjects exercising rights or requests from supervisory authority. They could be subject to national regulations that have been implemented due to the GDPR’s extraterritorial scope (see the UK case Rondon against LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of an official representative. The requirement applies to any entity that does not have its own establishment within the United Kingdom and that offers services or goods to or monitors the behavior of individuals located in the United Kingdom, or that manages personal data of those individuals. The representative must be able to prove their identity, and that they can be the controller or processor of data in respect how to become an avon representative UK GDPR obligations.

As well as acting as a means for individuals to exercise their GDPR rights as well as a means for individuals to exercise their rights under GDPR, the representative must also able to communicate with authorities in the event of an incident. This is because the Representative needs to make a formal notification to the supervisory authority that appointed them, regardless of whether the breach affects individuals across multiple jurisdictions.

It is recommended that your chosen representative has worked with both European and UK-based data protection authorities. It is also desirable that they are fluent in the local language as they are likely to receive calls from both individuals and data protection authorities in the countries where they operate.

The EDPB declares that the Representative is responsible for any non-compliance. However, the UK case of Rondon v LexisNexis UK Ltd. (2019) EWHC1427 confirmed that a representative is not able to be sued by someone who believes the controller of the data has failed to comply with GDPR in the UK. This is due to the fact that according to the court, the Representative has no direct connection to the processing of data by the representative entity.

Who is required to appoint the UK Representative?

The EU GDPR stipulates that businesses outside of the EU, without an office or branch within the EU that market their products or services to European citizens, must have an official. This is in addition to requirements from national laws on data protection. The purpose of a Representative is to serve as an individual point of contact for individuals and supervisory authorities in relation to GDPR compliance issues.

The UK has its own version to the EU requirement, set out in Article 27 of the UK-GDPR. The threshold is the same as that of the EU requirement: any organization offering goods or services in the UK, or monitoring the conduct of data subjects, must appoint an UK Representative.

Under the UK-GDPR, a Representative must be formally authorized "to be additionally or alternatively addressed, on behalf of the controller or processor by data subjects and the British Information Commissioner's Office[British Information Commissioner's Office]". They are not permitted to be personally held accountable for compliance with the GDPR. However, they must cooperate with supervisory authorities in formal proceedings and receive information from data subjects who exercise their rights (access request or right to be forgotten, etc. ).

Representatives must be located in the Member State of the European Union in which the individuals whose personal data are processed are residents. This isn't a straightforward choice and requires an in-depth legal and business analysis to determine the most suitable location for an organisation. We provide a service that assists businesses to evaluate their needs and select the best representative option.

It is also recommended that the representative has experience interacting with both supervisory authorities and handling data subject requests. Language skills in the local area are often of importance as the job is likely to be involving dealing with requests from data subjects or supervisory authorities in multiple countries across Europe.

The identity of the representative should be made clear to the individuals who are data subjects by incorporating their contact information in privacy policies as well as the information provided to individuals prior to collecting their data (see Article 13 UK-GDPR). The UK Representative's contact details should also be made available on your site, providing easy access for supervisory authorities to contact them.

When do you need to designate a UK Representative?

If your organisation is located outside the UK and provides products or services in the UK or monitors the conduct of individuals, you may be required to appoint an UK Representative. The UK's applied EU GDPR regime applies for established entities outside the UK that are performing activities in the UK. It has the same extraterritorial reach as EU GDPR, with limited exceptions. Take our free self-assessment and see if you are legally bound by this obligation.

A representative is appointed by the appointing party under an agreement of service to act for that party in relation to specific obligations under UK GDPR and EU GDPR, if applicable. In the UK it would involve facilitating communication between the appointing entity and Information Commissioner's Office or any data subjects affected in the UK. A Representative could be an individual or a business which is based in the UK. The body that appointed them must inform the subjects of data that the Representative will be processing their personal information and UK Representative that the identity of the person or company is readily available to supervisory authorities.

In accordance with Articles 13 and 14 of the UK GDPR the entity that is appointed as the representative is also required to provide the contact details of its representative to the ICO and the data subjects in the UK. It is essential to make clear that the job of a Representative is different from and incompatible with the duties of the role of a Data Protection Officer ("DPO") that requires a level of autonomy and independence that cannot be provided by a representative.

If you have to appoint an official from the UK representative, you should do so as soon as possible. This is because the requirement is required either immediately following Brexit (if it is an "hard" or "no deal" Brexit) or following an implementation period (if it's an "soft" or "with deal". There is no grace time.

What are the requirements for a UK Representative?

According to UK laws on data protection the definition of a representative is a person or company who is "designated" in writing by a company that does not have a physical presence in the UK but is subject to the law. The UK representative should be able to represent an entity in relation to its obligations under law. The contact information of the representative should also be readily available to UK residents whose personal details are processed by a non-UK company.

The UK Representative must be an overseas senior employee of a business or media organization and have been hired and employed as an employee by the media or business entity outside of the UK. The applicant for the visa must be planning to serve as the UK representative of the media or business organisation full-time and must not engage in any other business activities within the UK.

The applicant also has to prove they have the knowledge and experience needed to fulfill their role as UK representative, which includes serving as a local contact point for data subjects and UK data protection authorities. The UK Representative must possess sufficient experience and knowledge of UK data protection laws to be competent to respond to inquiries and requests from data protection authorities as well as individuals exercising their rights.

As the Brexit process continues, it is likely that the UK laws regarding data protection will change as time passes. However, at the moment, it is expected that non-UK businesses who do business in the UK and collect personal information of individuals within the UK will need to designate an UK Representative.

This is because the UK GDPR requires that entities without a UK presence must appoint a representative in accordance with article 27 of the UK GDPR which is regarded as a law of the nation in the UK. If you are not sure whether you should appoint a UK data protection representative it is recommended consult an experienced legal advisor.