공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a number of high-level positions within the Foreign Office including Deputy Ambassador to China and Director for economic diplomacy and Emerging Powers. She has also been involved in global trade policy and international issues.

Companies that are not based in the UK must comply with UK privacy laws. They must appoint a Representative in the UK to act as their point of contact for data subjects, as well as the ICO.

What is what is a UK Representative?

The UK Representative is an individual, a company or organisation that is formally mandated by the controller or processor of data to act on behalf of the controller or processor regarding all matters around GDPR compliance. They will be the primary point of contact for enquiries from data subjects exercising their rights, or for requests from supervisory authorities. They may also be subject to national regulations that have been enacted in light of the GDPR's extraterritorial reach (see the UK case Rondon v LexisNexis Risk Solutions).

The appointment of Representatives is required by Article 27 of the EU GDPR, as well as the UK equivalent section 3(2) of the Data Protection Act 2018. The requirement applies to any company that does not have a separate establishment within the United Kingdom and that offers goods or services to or monitors the behavior of people who reside in the United Kingdom, or that processes personal data of such individuals. The representative must be able to provide proof of their identity, and that they are able to represent the controller or processor of data in respect to UK GDPR obligations.

In addition to serving as a portal for individuals to exercise their rights under GDPR, the Representative must be capable of communicating with authorities in the event of an incident. This is because the Representative has to submit a notification to the supervisory authority that appointed them regardless of whether the breach impacts data subjects across different jurisdictions.

It is important that the representative you select has experience working with both European and UK data protection authorities. It is also recommended to have local language skills because they are likely to receive contacts from both individuals and data protection authorities in the countries where they work.

The EDPB declares that the Representative is accountable for non-compliance. However, the UK case of Rondon v LexisNexis UK Ltd. (2019) EWHC1427 affirmed that a representative is not able to be sued by a person who believes that the controller of the data has failed to meet the GDPR requirements in the UK. This is due to the fact that, according to the court, the Representative has no direct connection with the data processing activities carried out by the represented entity.

Who is responsible avon for representatives appointing the UK Representative?

To be in compliance with the EU GDPR, businesses that are not part of the EU that market their products or services towards European citizens, but do not have a branch, office or establishment in the EU must designate an EU Representative. This is in addition to the requirements of the national data protection laws. The role of a Representative is to serve as a local point of contact for supervisory authorities and individuals with respect to GDPR compliance issues.

The UK has a similar requirement to the EU as laid out in Article 27 of the UK-GDPR. The threshold is the same as that of the EU requirement: any company providing goods or services within the UK or monitoring the conduct of data subjects, must appoint an UK Representative.

According to the UK-GDPR, a representative must be approved in writing by the data subjects or the British Information Commissioner's Office[British Information Commissioner's Office] "to be contacted, in addition or alternatively, on behalf of the controller or processor". They are not permitted to be held personally liable for the GDPR's compliance. They must, however, cooperate with supervisory authorities in official proceedings, and receive communications from individuals who exercise their rights. ).

Representatives must be located in the member state of the European Union in which the individuals whose personal data are processed are residents. This is not a simple decision and requires an in-depth legal and business analysis to determine the most suitable location for an organization. We provide a service that assists businesses to assess their needs and choose the most suitable representative choice.

It is also recommended that representatives have experience working with supervisory authorities as well as dealing with inquiries from data subjects. Language skills in the local language can also be important, as the job could involve dealing with requests from data subjects or supervisory authority in multiple countries throughout Europe.

The identity of the representative should be made known to the individuals who are the data subjects via privacy policies and information provided before collecting data (see article 13 in the UK-GDPR). Contact information for the UK Representative should be made available on your website so that supervisory authorities can easily contact them.

When do you have to appoint an UK Representative?

If your organisation is located outside the UK and provides goods or services to the UK or monitors the behaviour of individuals, you may be required to appoint an UK Representative. The UK's Applied GDPR system applies to established companies outside the UK that conduct business in the UK and has the same extraterritorial reach as EU GDPR (with limited exceptions). You should take our free self-assessment and find out if you are required to comply with this requirement.

A Representative is appointed by the appointing party under a contract of service to act for that party with respect to certain obligations under UK GDPR and EU GDPR, as applicable. In the UK, the main purpose of this is to facilitate communication between the appointing party and the Information Commissioner's Office (ICO) or any other affected data subjects in the UK. A Representative could be an individual or a UK-based company. The entity that is appointing the representative must make it clear to the data individuals that their personal information will be processed by the Representative and the identity of that person or company should be readily available to supervisory authorities.

According to Articles 13 and 14 of the UK GDPR the entity that is appointed as the representative is also required to provide the contact information of its representative to the ICO and the data subjects in the UK. It is imperative to make clear that the representative's job is different from the role of the role of a Data Protection Officer (DPO) that requires a certain degree of autonomy and independence not possible for a representative.

If you need to appoint a UK representative, it is best to do so as fast as possible. This is due to the fact that this obligation is either immediately following Brexit (if it is an "hard" or "no deal" Brexit) or following an implementation period (if it's a "soft" or a "with deal". There is no grace period.

What are the requirements for the designation of a UK Representative?

According to UK laws on data protection, a representative is a person, or a business who is "designated" in writing by a company that does not have a physical presence in the UK however is subject to the law. The UK representative is required to be able represent an entity with respect to its legal obligations. The contact information of the representative should also be accessible to UK residents whose personal details are being processed by a non-UK company.

The UK Representative must be an overseas senior employee of a media or business company, and have been hired and employed as an employee of the media or business entity outside of the UK. The visa applicant must intend to serve as the UK representative of the media or business organisation full-time and must not engage in other business activities in the UK.

In addition the visa holder must prove that they have the required skills and experience to fulfill their duties as a UK Representative, which will include acting as the local point of contact for any queries from data subjects as well as the UK data protection authorities. The UK Representative must have the experience and knowledge of UK laws regarding data protection to be competent to respond to inquiries and requests from data protection authorities and individuals exercising their rights.

As the Brexit process progresses and the process continues, it is likely that UK data protection laws are going to change in the future. In the present, however it is expected of companies that are not based in the UK, UK Representative but do business in the UK, and process personal data of individuals in the UK, to appoint UK representatives.

This is because article 27 of the UK's GDPR which was enacted as an UK national law, requires all entities that do not have any presence in the UK to nominate an UK data protection representative. If you are unsure of whether you should appoint an UK data protection representative it is recommended consult an experienced lawyer.