공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a variety of high-level positions within the Foreign Office including Deputy Ambassador to China and Director for economic diplomacy and Emerging Powers. She also worked on global trade policy as well as international development issues.

Businesses located outside the UK are bound by UK privacy legislation. They must designate a representative in the UK to act as their point of contact for data subjects, as well as the ICO.

What is a UK representative?

The UK Representative is a person, business or organization that has been mandated by a data processor or controller to act in their behalf in all matters related to GDPR compliance. They will be the primary point of contact for inquiries from data subjects who exercise their rights or requests from supervisory authority. They could also be subject to national laws that have been put in place due to the GDPR’s extraterritorial reach (see the UK case Rondon against LexisNexis Risk Solutions).

The appointment of Representatives is required under Article 27 of the EU GDPR, and the UK equivalent, Section 3(2) of the Data Protection Act 2018. The requirement applies to any entity that does not have a separate establishment within the United Kingdom and that offers services or goods or monitors the conduct of individuals residing in the United Kingdom, or that manages personal data of those individuals. The representative must be able proof of their identity and that they are capable of representing the data controller or processor in respect to the UK GDPR's requirements.

The representative must be able to communicate with authorities if there is a breach. The representative must notify the supervisory authority that appointed them, regardless of whether the breach affects data subjects in multiple jurisdictions.

It is recommended that the representative has worked with both European and UK-based data protection authorities. It is also desirable for them to speak a local language, as they will likely receive contact from individuals and data protection agencies in the countries where they operate in.

Although the EDPB states that the Representative must be held liable in the event of non-compliance the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has established that a Representative cannot be sued by an individual for the apparent failure to adhere to the UK GDPR. The court ruled that the Representative was not in direct connection with the processing of data by the represented entity.

Who is required to appoint the UK Representative?

To be in compliance with the EU GDPR, businesses outside of the EU that market their products or services for European citizens, but do not have a branch, office or Sale Representatives establishment in the EU must designate an EU Representative. This is in addition to requirements of national data protection laws. A sales representative's role is to be a local point-of-contact for supervisory bodies and individuals in relation to GDPR issues.

The UK has its own version to the EU requirement, set out in Article 27 of the UK-GDPR. As with the EU requirement, the threshold is low and any business that offers goods or services to, or monitors the behavior of, data subjects in the UK must appoint an official from the UK representative.

Under the UK-GDPR, a Representative must be mandated in writing "to be additionally or alternatively addressed, on behalf of the controller or processor, by data subjects and the [British Information Commissioner's Office[British Information Commissioner's Office]". They are not able to be personally held accountable for compliance with the GDPR. They must, however, cooperate with supervisory authorities in formal proceedings, and also receive communications from individuals who exercise their rights. ).

Representatives should be located within the EU member state in which the people whose data are being processed reside. This isn't a straightforward decision that requires a thorough business and legal analysis to determine the most suitable location for an organization. For this reason we offer a dedicated service to assist organizations in assessing their needs and choosing the best option for them.

It is also advisable that representatives have experience working with supervisory authorities and handling data subject requests. The ability to communicate in a local language is important since the job will include dealing with inquiries from data subjects or supervisory authorities across Europe.

The identity of the representative avon should be disclosed to the data subjects by including their contact information in privacy policies and information given to individuals prior to collecting their data (see Article 13 UK-GDPR). Contact information for the UK Representative should be made available on your website so that supervisory authorities are able to easily contact them.

When is the best time to designate the UK Representative?

If your organisation is based outside of the UK, offers goods or services to individuals within the UK or monitors their behaviour and conducts surveillance, you may have to appoint an UK representative. The UK's Applied GDPR regime applies to established companies outside the UK who are carrying out activities in the UK and has the same scope of extraterritorial application as the EU GDPR (with limited exceptions). You can take our no-cost self-assessment to see whether you are subject to this obligation.

A Representative is appointed by the appointing party under the terms of a contract of service. The representative is appointed to act on behalf of the party in relation to specific obligations under the UK GDPR and EU GDPR, if applicable. In the UK, the main purpose of this is to facilitate communication between the party that appointed and the Information Commissioner's Office (ICO) or any affected data subjects in the UK. A Representative could be an individual or a business which is based in the UK. The appointing entity must inform individuals who are data subjects that their personal information will be processed by the Representative, and the identity of the person or company should be easily accessible to supervisory authorities.

According to Articles 13 and 14 of the UK GDPR The appointing entity is also required to provide the contact information of its representative to the ICO as well as the individuals who are data subjects in the UK. It is imperative to make clear that the representative's job is distinct from the one of the position of a Data Protection Officer (DPO) that requires a certain degree of autonomy and independence that is not available to the role of a representative.

If you have to designate a UK representative, it is best to do so as fast as you can. This is because the need for this comes immediately upon Brexit (if there is an 'hard' or 'no deal' Brexit) or after an implementation period (if there is a'soft' or "with deal" Brexit). There is no grace period.

What are the prerequisites to becoming a UK representative?

Under the UK law on data protection (and specifically article 27 of the UK GDPR) sale representatives (http://xtgem.com/u/mamri?redir=ahr0chm6ly93d3cucmvwcy1ylxvzlmnvlnvrlw&forum_id=oqp0yi6mk4estv1g3a90e41ut0cm6qo4iwxz1k3) are an individual or a company that is "designated in writing" by an entity that has no presence in the UK but is subject to the provisions of the law. The UK representative should be capable of representing the entity in compliance with its legal obligations and their contact details must be readily accessible to those in the UK who have personal information being processed by the non-UK business.

The UK Representative must be an overseas senior employee of a media or business company and has been recruited and employed as an employee by the media or business organization outside of the UK. The person applying for the visa must intend to be full-time employed as the UK representative for the business or media organisation, and they are not allowed to engage in any other business activity in the UK.

The visa applicant also needs to demonstrate that they have the skills and experience necessary to fulfill their duties as UK representative, which includes serving as a local contact point for data subjects and UK data protection authorities. The UK Representative must have sufficient knowledge and expertise of UK data protection laws to be competent to respond to inquiries and requests from data protection authorities as well as individuals exercising their rights.

As the Brexit process continues it is likely that the UK laws on data protection will change in the future. However, at the moment, it is expected that businesses from outside the UK who do business in the UK and collect personal information of individuals in the UK will be required to appoint an official from the UK representative.

This is because the UK GDPR mandates that all entities that do not have a UK presence must appoint a representative under article 27 of the UK GDPR, which has been retained as a national law in the UK. If you are not sure whether you need to appoint a UK data protection representative it is recommended that you speak to an experienced lawyer.