공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has served in a number senior positions at the Foreign Office, including as Deputy Ambassador for China and Director for Economic Diplomacy and Emerging Powers. She also has worked on global trade policy and UK Representative international issues.

Businesses established outside of the UK must comply with UK privacy laws. They must designate a representative in the UK to act as their point of contact for data subjects and the ICO.

What is an UK representative?

The UK Representative is a person, UK Representative business or other entity that has been authorised by the controller or data processor to act in their behalf on all matters relating to GDPR compliance. They will be the primary contact point for inquiries from individuals exercising their rights, or for requests from supervisory authorities. They could also be subject to national regulations that have been enacted in light of the GDPR's extraterritorial scope (see the UK case Rondon v LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent Section 3.2.2 of the Data Protection Act 2018, require the appointment of a representative. The requirement applies to any company that does not have a separate establishment within the United Kingdom and that offers goods or services to or monitors the behaviour of people who reside in the United Kingdom, or that processes personal data of such individuals. The Representative must be able to show evidence of their identity and that they are capable of representing the data controller or processor in relation to the UK GDPR's requirements.

The representative must also be able to communicate with authorities in the event of an incident. This is because the Representative has to make a formal notification to the supervisory authority who appointed them, regardless of whether the breach affects the data subject across multiple jurisdictions.

It is important that the representative you select has worked with both European and UK data protection authorities. It is also important that they have a local language proficiency as they are likely to receive contacts from both individuals and data protection authorities in the countries in which they operate.

Although the EDPB states that the Representative must be held liable in the event of non-compliance, the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has confirmed that a Representative cannot be sued by a person for the data controller's inability to comply with the UK GDPR. The court concluded that the Representative had no direct connection to the processing of data by the entity that it represented.

Who is required to appoint the UK Representative?

The EU GDPR stipulates that businesses outside of the EU, without an office or branch in the EU that market their goods or services for European citizens, must designate representatives. This is in addition to requirements of national data protection laws. A Representative's role is to serve as the local point of contact for individuals and supervisory bodies regarding GDPR concerns.

The UK has becoming an avon representative identical requirement to that of the EU that is described in Article 27 of the UK-GDPR. The threshold is the same as the EU requirement: any organization offering goods or services in the UK or monitoring the behavior of the data subjects, has to appoint an UK Representative.

Under the UK-GDPR, a representative must be mandated in writing "to be addressed, in addition or alternatively addressed, on behalf of the controller or processor by data subjects and the British Information Commissioner's Office]". They cannot be held personally accountable for GDPR compliance. They must, however, cooperate with supervisory authorities in formal proceedings, and receive notifications from individuals who exercise their rights. ).

Representatives must be situated within the EU member state where the individuals whose personal data are processed reside. This isn't a straightforward decision that requires an extensive legal and business analysis to determine the right location for a company. We provide a specialized service that helps organisations assess their needs and choose the most appropriate representative location.

It is also recommended that Representatives have experience interacting with supervisory authority as well as dealing with inquiries from data subjects. Local language skills are also important since the job will include dealing with inquiries from data subjects or supervisory authorities across Europe.

The identity of the representative should be clarified to data subjects by including their information in privacy policies and the information given to individuals prior to collecting their data (see Article 13 of the UK-GDPR). Contact details for the UK Representative should be published on your website so that supervisory authorities are able to easily reach them.

When do you need to nominate a UK Representative?

If your organisation is based outside the UK, offers goods or services to customers who reside in the UK, or monitors their behaviour, you may need to appoint the position of a UK Representative. The UK's Applied GDPR regime is applicable to established non-UK entities who are carrying out activities in the UK and has the same extraterritorial reach as EU GDPR (with limited exceptions). Take our free self-assessment to determine if you are legally bound by this obligation.

A representative is appointed by the party appointing under the terms of a contract of service. The representative is appointed to act on behalf of the party in relation to certain obligations under UK GDPR and EU GDPR, as applicable. In the UK this would typically involve facilitating communications between the appointing entity and the Information Commissioner's Office or any individuals affected by the UK. A Representative could be an individual or a business that is established in the UK. The entity that is appointing the representative must make it clear to data individuals that their personal information will be processed by the Representative. The identity of the person or company should be made easily accessible to supervisory authorities.

The entity that appointed the representative must provide the contact details of its Representative to the ICO and the data subjects that are affected in the UK in conformity with Article 13 and 14 of the UK GDPR. It is essential to clarify that the role of a representative is different from the one of the position of a Data Protection Officer (DPO), which requires a degree of autonomy and independence that is that is not achievable for the role of a representative.

If you have to appoint a UK representative, you should do so as soon as possible. This is because the requirement arises immediately after Brexit (if there is either a 'hard' or "no deal' Brexit) or after an implementation period (if there is a soft or "with deal" Brexit). There is no grace period.

What are the requirements to be a UK representative?

According to UK data protection laws A representative is a person or company who is "designated" in writing by an entity which doesn't have a physical presence in the UK but is subject to the law. The UK representative should be able to represent an entity in relation to its legal obligations. Their contact details should also be readily accessible to UK residents whose personal data are processed by a business that is not a UK company.

The UK Representative must be an overseas senior employee of a media or business company and has been recruited and employed as an employee of the media or business organization outside of the UK. The person applying for the visa must intend to be full-time employed as the UK representative for the media or business company, and must not engage in any other business ventures in the UK.

The applicant also has to demonstrate that they have the skills and experience necessary to fulfill their duties as UK representative, which involves acting as an individual point of contact for data subjects and UK authorities responsible for data protection. The UK Representative must have the experience and knowledge of UK data protection laws to be able to respond to any requests and enquiries from data protection authorities as well as individuals exercising their rights.

As the Brexit process continues it is likely that the UK data protection laws will change over time. However, at the moment it is expected that companies from outside the UK who do business in the UK and handle personal data of people in the UK will be required to appoint an official from the UK Representative.

This is because article 27 of the GDPR in the United Kingdom which was enacted as an UK national law, requires all entities that do not have any presence in the UK to nominate the position of a UK representative for data protection. If you are unsure of whether you are required to designate an UK representative for data protection It is suggested consult an experienced lawyer.