공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a number of senior roles in the Foreign Office including Deputy Ambassador to China and [Redirect-302] Director for economic diplomacy and Emerging Powers. She also has worked on global trade policy and international issues.

Businesses located outside the UK are bound by UK privacy legislation. They must designate an agent in the UK who will be their point-of-contact for data subjects and ICO.

What is an UK Representative?

The UK Representative is a person, business or organisation who has been appointed by a data processor or controller to act on behalf of the controller or processor on all matters related to GDPR compliance. They will be the main point of contact for inquiries from data subjects exercising rights or requests from supervisory authorities. They could be subject to national laws that have been put in place due to the GDPR’s extraterritorial scope (see the UK case Rondon against LexisNexis Risk Solutions).

The appointment of Representatives is required by Article 27 of the EU GDPR, and the UK equivalent Section 3(2) of the Data Protection Act 2018. This requirement is applicable to all entities that do not have a permanent location in the United Kingdom but offer goods or services, or monitor the behavior of those who reside there or who handle personal data. The representative must be able evidence of their identity and that they are competent in representing the controller or processor of data in relation to the UK GDPR's requirements.

The representative must also be able communicate with authorities if there is a breach. This is because the Representative needs to send a notice to the supervisory authority that appointed them, regardless of whether the breach affects the data subject across multiple jurisdictions.

It is recommended that your chosen representative has worked with both European and UK-based data protection authorities. It is also desirable for them to have local language abilities since they are likely to receive contact from individuals and agencies in the countries where they work in.

While the EDPB states that the Representative must be held liable in the event of non-compliance, the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has confirmed that a Representative cannot be sued by an individual for the apparent failure to adhere How to become avon representative an avon representative (https://www.appartementloue.com) the UK GDPR. This is due to the fact that according to the court, the Representative has no direct link to the data processing activities carried out by the entity that is represented.

Who is required to appoint the UK Representative?

To comply with the EU GDPR, companies outside of the EU that market their products or services for European citizens, but do not have an office, branch or establishment within the EU must designate an EU Representative. This is in addition to the requirements of national laws on data protection. The role of a Representative is to act as an individual point of contact for individuals and supervisory authorities in relation to GDPR compliance issues.

The UK has its own version to the EU requirement, which is set in Article 27 of the UK-GDPR. The threshold is the same as that of the EU requirement: any organization that offers goods or services in the UK or monitoring the behaviour of individuals who are data subjects, must designate an UK Representative.

According to the UK-GDPR, a representative must be authorised in writing by the data subjects or the [British Information Commissioner's officeto be able "to be contacted, further or alternatively, on behalf the controller or processor". They cannot be held personally responsible for GDPR compliance. However they must cooperate with supervisory authorities in formal proceedings and also receive communications from data subjects exercising their rights (access request, right to be forgotten etc. ).

Representatives must be located in the Member State of the European Union in which the individuals whose personal data are processed are residents. In the majority of cases, this isn't a straightforward decision to make. A careful analysis of the legal and business context is required to assess the location(s) most suitable for an organisation. For this reason we offer a dedicated service to assist organisations in assessing their needs and deciding on the most appropriate Representative option.

It is also recommended that representatives have previous experience in dealing with supervisory authority as well as handling inquiries from data subjects. Local language skills can also be crucial, since the job could involve dealing with inquiries by data subjects or supervisory authorities in a variety of countries across Europe.

The identity of the Representative should be disclosed to the individuals who are data subjects by incorporating their information in privacy policies and the information provided to individuals prior to collecting their data (see Article 13 UK-GDPR). The UK Representative's contact details should be posted on your website, allowing the authorities in charge of supervision easy access to connect with them.

When are you required to appoint an UK Representative?

If your business is located outside the UK and offers goods or services in the UK or monitors the behaviour of individuals, you might be required to appoint an UK Representative. The UK's Applied GDPR system is applicable to established non-UK entities that conduct business in the UK and has the same scope of extraterritorial application as EU GDPR (with some exceptions). You can take our no-cost self-assessment to see whether you have this obligation.

A Representative is appointed by the appointing party under the terms of a contract of service. The representative is appointed to act for that party in relation to specific obligations under UK GDPR and EU GDPR, if applicable. In the UK this would typically involve facilitating communications between the appointing entity and Information Commissioner's Office or any data subjects that are affected in the UK. A Representative can either be an individual or a company based in the UK. The entity that is appointing the representative must inform data individuals that their personal information will be processed by the Representative and the identity of the individual or company must be easily accessible to supervisory authorities.

In accordance with Articles 13 and 14 of the UK GDPR the entity that is appointed as the representative is also required to provide the contact details of its representative to the ICO and the individuals who are data subjects in the UK. It must be made clear that the role of a representative is distinct from the one of a Data Protection Officer (DPO), which requires a degree of autonomy and independence that is that is not available to representatives.

If you are required to designate a UK representative, it is best to do it as soon as possible. This is because the requirement arises immediately after Brexit (if there is a 'hard' or 'no deal' Brexit) or after an implementation period (if there is a soft or 'with deal' Brexit). There is no grace period.

What are the requirements for the designation of a UK Representative?

According to UK laws on data protection, a representative is a person or company who is "designated" in writing by an entity which doesn't have a physical presence in the UK but is subject to the law. The UK representative has to be capable of representing the entity with regard to its obligations under the law and their contact details should be made readily available to anyone within the UK who have personal data being processed by the non-UK business.

The UK Representative must be an overseas senior employee of a media or business organization and have been hired and employed as an employee of the media or business entity outside of the UK. The visa applicant must genuinely intend to be employed full-time as the UK representative for the media or business company, and must not engage in any other business ventures in the UK.

The applicant for visas also has to prove they have the knowledge and experience required to perform their role as UK representative, which involves serving as an individual point of contact with the data subjects and UK authorities for data protection. This is to ensure that the UK Representative is well-informed of and understanding of the UK data protection laws and can respond to any requests from individuals exercising their rights under the law and any other inquiries or requests received from authorities dealing with data protection.

As the Brexit process continues it is likely that the UK data protection laws will change over time. At the moment it is expected that businesses from outside the UK who do business in the UK and collect personal information of individuals within the UK will need to designate a UK Representative.

This is because the UK GDPR stipulates that companies with no UK presence must appoint a representative in accordance with article 27 of the UK GDPR, which has been retained as a national law in the UK. If you are not sure whether you need to nominate the position of a UK representative for data protection, it is recommended that you consult an experienced lawyer.