공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a number of senior roles in the Foreign Office including Deputy Ambassador to China and a Director responsible for economic diplomacy and Representative Jobs Emerging Powers. She also worked on global trade policy and international issues related to development.

Businesses located outside the UK are required to adhere to UK privacy laws. They must appoint a Representative in the UK to act as their point of contact for data subjects as well as the ICO.

What is an UK representative?

The UK Representative is a person, company or other entity who has been appointed by the controller or data processor to act on their behalf on all matters related to GDPR compliance. They will be the main contact for any queries from data subjects exercising their rights or requests from supervisory authorities. They may be subject to national requirements that were enacted as a result of the GDPR's extraterritorial scope (see the UK case Rondon v LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of a representative. The requirement applies to any entity that does not have its own establishment within the United Kingdom and that offers products or services to or monitors the behavior of individuals residing in the United Kingdom, or that manages personal data of those individuals. The representative jobs (.O.rcu.Pineoxs.a.pro.w***doo.fr@srv5.cineteck.net) must be able to show evidence of their identity and that they are able of representing the data controller or processor in relation to the UK GDPR's obligations.

As well as acting as a means for individuals to exercise their GDPR rights and rights, the representative must be able to communicate with authorities in the event of a breach. The representative must notify the supervisory authority who appointed them, regardless of whether or not the breach affects data subjects across multiple jurisdictions.

It is recommended that your chosen Representative has experience working with both European and UK-based data protection authorities. It is also desirable to are fluent in the local language since they will receive calls from both individuals and data protection authorities in the countries where they work.

The EDPB states that the Representative is responsible for non-compliance. However, the UK case of Rondon v. LexisNexis UK Ltd. (2019) EWHC1427 confirmed that a representative is not able to be sued by anyone who believes that the data controller has failed to adhere to GDPR in the UK. This is due to the fact that, according to the court the Representative has no direct link to the data processing activities carried out by the entity that is represented.

Who is required to appoint the UK Representative?

In order to comply with the EU GDPR, businesses that are not part of the EU that are targeting goods or services towards European citizens but do not have an office, branch or establishment in the EU must designate an EU Representative. This is in addition to the requirements of the national data protection laws. A Representative's role is to serve as become an avon representative individual point of contact for supervisory bodies and individuals in relation to GDPR issues.

The UK has an identical requirement to that of the EU as laid out in Article 27 of UK-GDPR. Similar to the EU requirement the threshold is lower: any organisation that offers products or services to, or monitors the behaviour of data subjects within the UK must designate a UK representative.

Under the UK-GDPR, a Representative must be mandated in writing "to be additionally or alternatively addressed, on behalf of the controller or processor by the data subjects and the British Information Commissioner's Office[British Information Commissioner's Office]". They are not able to be held personally liable for compliance with the GDPR. However, they must cooperate with supervisory authorities in official proceedings and receive communications from data subjects who exercise their rights (access request, right to be forgotten etc. ).

Representatives must be located in the member state of the European Union in which the individuals whose personal data is processed are residents. This isn't a straightforward decision that requires an in-depth legal and business analysis to determine the right location for an organisation. We provide a service to help companies determine their needs and select the best representative option.

It is also recommended that the representative has experience working with supervisory authorities and handling data subject requests. Language skills in the local language can also be essential, as the job may require dealing with requests from data subjects or supervisory authority in a variety of countries across Europe.

The identity of the representative must be made known to the people who have data through privacy policies and the information provided prior to the collection of data (see article 13 of the UK-GDPR). Contact information for the UK Representative should be published on your website so that supervisory authorities are able to easily contact them.

When do you have to appoint an UK Representative?

If your company is located outside the UK and offers goods or services to the UK or monitors the behaviour of individuals, you may be required to appoint an UK Representative. The UK's Applied GDPR system applies to established companies outside the UK who are carrying out activities in the UK and has the same extraterritorial scope as EU GDPR (with some exceptions). Take our self-assessment for free and determine if you are subject to this obligation.

A representative is authorised by the entity that appointed them under a service contract to represent the entity with respect to a number of its obligations under UK and EU GDPR if applicable. In the UK, this would primarily involve facilitating communications between the entity that appointed the representative and the Information Commissioner's Office or any individuals affected by the UK. A Representative can be either an individual or a business which is based in the UK. The appointing body must inform the data subjects that their personal information will be processed by the Representative and the identity of that individual or company must be readily available to supervisory authorities.

The entity that appointed the representative must provide the contact information of its Representative to the ICO and all data subjects affected in the UK in conformity with Article 13 and 14 of UK GDPR. It is essential to clarify that a representative's role is distinct from that of a Data Protection Officer (DPO) that requires a certain degree of independence and autonomy not possible for representatives.

If you need to appoint a UK representative it is recommended to do so as fast as possible. This is because this requirement is required either immediately following Brexit (if it is a "hard" or "no deal" Brexit) or following an implementation period (if it's an "soft" or "with deal". There is no grace period.

What are the requirements for the designation of a UK Representative?

Under the UK laws on data protection (and specifically article 27 of the UK GDPR), a representative is an individual or business that is "designated in writing" by an entity that has no presence in the UK but is subject to the requirements of the law. The UK representative has to be competent to represent the company with regard to its obligations under the law and their contact information should be made readily available to anyone within the UK who have personal data being processed by a non-UK-based business.

The UK Representative must be an overseas senior member of a business or media company, and have been hired and employed as an employee of the business or media organization outside the UK. The person applying for the visa must intend to be employed full-time as the UK representative for the media or business organization, and they are not allowed to engage in any other business activity in the UK.

Additionally the visa applicant must demonstrate the required skills and experience to perform their role as UK Representative, which will include acting as local point of contact for any queries from data subjects and the UK authorities for data protection. This is to ensure that the UK Representative is knowledgeable of and expertise in the UK data protection laws and can be able to respond to requests from individuals exercising their rights under the law and any other requests or enquiries received from data protection authorities.

As the Brexit process continues and the process continues, it is likely that UK data protection laws will be altered in the future. However, at present, it is expected for companies from outside the UK that conduct business in the UK and collect personal data of individuals in the UK to nominate UK Representatives.

This is because article 27 of the UK's GDPR which was enacted as an UK national law, requires entities without having a presence in the UK to appoint the position of a UK representative for data protection. If you're unsure whether you need a UK data protection rep it is advised to consult an experienced legal advisor.