공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a variety of high-level positions within the Foreign Office including Deputy Ambassador to China and Director tourdeskhawaii.com of Economic diplomacy and Emerging Powers. She has also been involved in global trade policy and international issues.

Businesses located outside the UK are obliged to comply with UK privacy laws. They must designate a representative in the UK to act as their point of contact for data subjects and the ICO.

What is what is a UK Representative?

The UK Representative is a person, company or organisation mandated in writing by the controller or processor of data to act on behalf of the controller or processor regarding all aspects of GDPR compliance. They will be the main point of contact for requests from data subjects exercising their rights or requests from supervisory authorities. They may also be subject to national requirements that have been put in place because of the GDPR's extraterritorial reach (see the UK case Rondon against LexisNexis Risk Solutions).

The appointment of Representatives is required under Article 27 of the EU GDPR, and the UK equivalent Section 3(2) of the Data Protection Act 2018. The requirement applies to any organization that does not have a separate establishment within the United Kingdom and that offers products or services to or monitors the behavior of individuals residing in the United Kingdom, or that processes personal data of such individuals. The Representative must be able authentic proof of their identity, and also prove that they can represent the controller or processor of data in relation to UK GDPR obligations.

The representative must also be able to communicate with authorities if there's becoming an avon representative incident. The representative must inform the supervisory authority that appointed them, regardless of whether the breach affects data subjects in multiple jurisdictions.

It is recommended that your Representative has experience working with both European and UK-based data protection authorities. It is also desirable for them to speak a local language since they are likely to receive contacts from individuals and agencies in the countries they operate in.

While the EDPB states that the Representative should be held liable in the event of non-compliance, the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has confirmed that a Representative cannot be sued by a person for the alleged failure to comply with the UK GDPR. The court found that the Representative had no direct connection to the data processing activities of the entity that it represented.

Who is required to appoint the UK Representative?

The EU GDPR requires that businesses outside of the EU, without an office or branch within the EU and that are targeting products or services to European citizens must appoint an official. This is in addition to the requirements from national laws on data protection. The function of a representative is to be an individual point of contact for individuals and supervisory authorities with respect to GDPR compliance issues.

The UK has a similar requirement to the EU, which is outlined in Article 27 of UK-GDPR. The threshold is the same as that of the EU requirement: any organisation offering goods or services in the UK or monitoring the behaviour of data subjects, must appoint an UK Representative.

According to the UK-GDPR, a representative must be authorised in writing by the data subject or pasarinko.zeroweb.kr the British Information Commissioner's Office[British Information Commissioner's Office] "to be contacted, further or alternately, on behalf the controller or processor". They cannot be held personally responsible for GDPR compliance. However, they must cooperate with supervisory authorities in formal proceedings and receive notifications from data subjects who exercise their rights (access request, right to be forgotten, etc. ).

Representatives should be located in the Member State of the European Union in which the individuals whose personal information is processed are residents. This isn't a straightforward decision and requires an extensive legal and business analysis to determine the best location for a company. We provide a specialized service to help companies assess their needs and choose the most appropriate representative location.

It is also advisable that the representative has experience dealing with supervisory authorities and dealing with data subject requests. Local language skills are also frequently important as the role is likely to include dealing with inquiries from supervisory authorities or data subjects in multiple countries across Europe.

The identity of the representative should be disclosed to the individuals who are data subjects by incorporating their details in privacy policies and information provided to individuals before collecting their personal data (see Article 13 of the UK-GDPR). Contact details for the UK Representative should be posted on your website so that supervisory authorities are able to easily contact them.

When do you need to appoint an UK Representative?

If your organisation is located outside of the UK and provides goods or services in the UK or monitors the conduct of individuals, you could be required to appoint an UK Representative. The UK's Applied GDPR regime applies to non-UK established entities who are carrying out activities in the UK and has the same extraterritorial reach as the EU GDPR (with some exceptions). Take our free self-assessment to see if you are subject to this obligation.

A Representative is mandated by the appointing entity in an agreement to act on behalf of the entity with respect to specific obligations under the UK and EU GDPR, if applicable. In the UK it would involve facilitating communication between the entity that appointed the representative and the Information Commissioner's Office or any data subjects that are affected in the UK. A Representative could be an individual or a UK-based company. The entity that is appointing the representative must make it clear to individuals who are data subjects that their personal information will be processed by the Representative and the identity of the individual or company must be made easily accessible to supervisory authorities.

In accordance with Articles 13 & 14 of the UK GDPR, the appointing entity is also required to provide the contact information of its representative to the ICO as well as the people who have data in the UK. It is essential to clarify that a representative's role is different from the role of a Data Protection Officer (DPO), which requires a degree of autonomy and independence that is not available to the role of a representative.

If you are required to appoint an UK representative and you are required to do so, you must do it as soon as possible. This is because the requirement will be in effect immediately after Brexit (if there is either a 'hard' or "no deal' Brexit) or after an implementation period (if there is a'soft' or "with deal" Brexit). There is no grace period.

What are the requirements for the designation of a UK Representative?

Under the UK data protection laws (and specifically article 27 of the UK GDPR), a representative is an individual or business that is "designated in writing" by an entity that lacks a presence in the UK but is subject to the provisions of the law. The UK representative should be able to represent an entity in relation to its legal obligations. Contact details for representatives should also be readily available to UK residents whose personal information are processed by a non-UK business.

The UK Representative must be an overseas senior employee of a media or business organization and have been hired and employed as an employee of the business or media organization outside of the UK. The applicant for the visa must be planning to serve as the UK representative for the media or business organisation full-time and not engage in other business activities in the UK.

The applicant also has to prove that they have the expertise and experience required to perform their duties as UK representative, which entails acting as the local point of contact with data subjects and UK data protection authorities. This is to ensure that the UK Representative has sufficient knowledge of and experience with UK data protection laws, and can respond to any requests from individuals exercising their rights under the law and any other requests or enquiries received from data protection authorities.

As the Brexit process continues it is likely that the UK laws on data protection will be altered over time. In the present, however it is expected of companies from outside the UK that conduct business in the UK and handle personal data of individuals in the UK to choose UK Representatives.

It is because article 27 of the UK's GDPR that was adopted as an UK national law, requires all entities that do not have any presence in the UK to nominate the position of a UK representative for data protection. If you're not sure whether you're required to have a UK data protection rep it is advised to consult a qualified legal professional.