공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held several senior positions within the Foreign Office, including as the Deputy Ambassador for China and Director of Economic Diplomacy and Emerging Powers. She also worked on global trade policy as well as international issues of development.

Businesses that operate outside of the UK must adhere to UK privacy laws. They must appoint an official in the UK who will act as their point-of-contact for individuals who have data and the ICO.

What is a UK representative?

The UK Representative is a person, business or organization that has been authorised by the controller or data processor to act on behalf of the controller or processor in all matters related to GDPR compliance. They will be the primary contact point for any queries from individuals exercising their rights or requests from supervisory authorities. They could be subject to national laws that have been put in place due to the GDPR's extraterritorial scope (see the UK case Rondon against LexisNexis Risk Solutions).

The appointment of Representatives is required by Article 27 of the EU GDPR, and the UK equivalent Section 3(2) of the Data Protection Act 2018. The requirement applies to any entity that does not have a separate establishment within the United Kingdom and that offers services or goods to or monitors the behavior of individuals located in the United Kingdom, or that manages personal data of those individuals. The representative must be able to prove their identity, and also prove that they can represent the data processor or controller in respect to UK GDPR requirements.

The Representative should also be able to communicate with authorities if there is a breach. The Representative must notify the supervisory authority who appointed them regardless of whether the breach affects data subjects in multiple jurisdictions.

It is recommended that your chosen representative has worked with both European and UK-based data protection authorities. It is also beneficial for them to be proficient in local languages since they are likely to receive contact from individuals and agencies in the countries where they work in.

While the EDPB states that the Representative will be held accountable in the event of non-compliance, the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has established that a Representative cannot be sued by an individual for the data controller's apparent failure to adhere to the UK GDPR. The court ruled that the Representative had no direct connection to the data processing activities of the entity being represented.

Who needs to appoint an UK Representative?

The EU GDPR stipulates that businesses from outside the EU with no office or branch in the EU and that are targeting goods or services at European citizens must appoint a Representative. This is in addition to requirements of national data protection laws. A representative's job is to serve as a local avon representative point-of-contact for supervisory bodies and individuals regarding GDPR concerns.

The UK has its own equivalent to the EU requirement, which is set in Article 27 of the UK-GDPR. Similar to the EU requirement the threshold is not high: any organisation that offers goods or services to or monitors the behaviour of data subjects in the UK must designate an official from the UK representative.

Under the UK-GDPR, a representative must be appointed in writing "to be additionally or alternatively, addressed on behalf of the controller or processor by the data subjects and the British Information Commissioner's Officethe [British Information Commissioner's Office]". They cannot be held personally accountable for GDPR compliance. However they must cooperate with supervisory authorities in official proceedings and receive information from data subjects who exercise their rights (access request or right to be forgotten etc. ).

Representatives must be located in the Member State of the European Union in which the individuals whose personal information is processed are resident. This is not a simple decision and requires an extensive legal and Representative Sales business analysis to determine the best location for an organization. We offer a dedicated service that assists businesses to evaluate their needs and select the most suitable representative choice.

It is also recommended that Representatives have experience interacting with supervisory authorities as well as handling data subject inquiries. The ability to communicate in a local language is often of importance as the role is likely to be involving dealing with requests from data subjects or supervisory authorities across Europe.

The identity of the representative must be made known to the people who have data through privacy policies and information given prior to collecting data (see article 13 UK-GDPR). Contact details for the UK Representative should be made available on your website so that supervisory authorities can easily reach them.

When are you required to appoint an UK Representative?

If your business is based outside the UK provides goods or services to individuals who reside in the UK, or monitors their behavior, you may need to designate a UK Representative. The Applied GDPR regime in the UK applies to established companies outside the UK who are carrying out activities in the UK and has the same scope of extraterritorial application as the EU GDPR (with limited exceptions). You should take our free self-assessment to see whether you are subject to this obligation.

A Representative is mandated by the appointing entity in an agreement to represent the entity in relation to a number of its obligations under UK and EU GDPR, if applicable. In the UK the primary goal of this would be to facilitate communication between the appointing entity and the Information Commissioner's Office (ICO) or any data subjects affected in the UK. A Representative could be an individual or a UK-based company. The body that appointed them must inform data subjects that the Representative will be processing their personal data and that the identity of the individual or business is readily accessible to supervisory authorities.

The appointing entity must also provide the contact information of its Representative to the ICO and data subjects affected in the UK in accordance with Article 13 as well as 14 of the UK GDPR. It is essential to make clear that the role of a Representative is separate from and not compatible with the duties of the role of a Data Protection Officer ("DPO"), which requires a degree of autonomy and independence that cannot be provided by a representative.

If you need to designate an official from the UK representative and you are required to do so, you must do it as soon as you can. This is because this requirement arises either immediately after Brexit (if it is an "hard" or "no deal" Brexit) or following an implementation period (if it is a "soft" or a "with deal". There is no grace period.

What are the requirements to become a UK representative?

Under the UK laws on data protection (and specifically article 27 of the UK GDPR) A representative is an individual or business that is "designated in writing" by an entity that does not have a presence in the UK but is subject to the requirements of the law. The UK representative must be capable of representing the entity with regard to its legal obligations and their contact information must be readily accessible to individuals who reside in the UK who have personal information being processed by the non-UK company.

The person who is the UK Representative must be a senior worker of the overseas media or business organisation and has been enlisted and appointed as an employee outside the UK by the media or business organisation. The applicant must genuinely intend to be employed full-time as the UK Representative for the business or media company, Representative sales and must not engage in any other business activity in the UK.

Additionally the visa applicant must prove that they have the necessary skills and experience to fulfill their duties as UK representative sales (Littleyaksa.yodev.net) that includes acting as the local point of contact for any queries from data subjects and UK authorities for data protection. The UK Representative must possess sufficient experience and knowledge of UK laws regarding data protection to be able to respond to any inquiries and requests from data protection authorities as well as individuals exercising their rights.

As the Brexit process continues and the process continues, it is likely that UK laws on data protection will be altered in the future. However, at the moment, it is expected that non-UK businesses that do business in the UK and process personal data of individuals within the UK will be required to appoint an official from the UK Representative.

It is because article 27 of the GDPR in the United Kingdom which was enacted as a UK national law, requires companies without a UK-based presence to appoint an UK representative for data protection. If you're not sure whether you're required to have a UK representative for data protection It is recommended to consult an experienced legal advisor.