공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a number of senior roles in the Foreign Office including Deputy Ambassador to China and Director for economic diplomacy and Emerging Powers. She has also worked in global trade policy and international issues.

Companies that are not based in the UK must comply with UK privacy laws. They must appoint a representative in the UK who will serve as their point-of-contact for individuals who have data and the ICO.

What is what is a UK representative?

The UK Representative is an individual, a company or other entity that has been formally authorised by the controller or processor of data to act on behalf of the controller or processor in all matters around GDPR compliance. They will be the main contact point for inquiries from data subjects exercising their rights or requests from supervisory authorities and may be subject to national requirements that have been enacted in light of the GDPR's extraterritorial reach (see the UK case Rondon v LexisNexis Risk Solutions).

The appointment of a Representative is required under Article 27 of the EU GDPR, as well as the UK equivalent, Section 3(2) of the Data Protection Act 2018. The requirement applies to any organization that does not have its own place of business within the United Kingdom and that offers goods or services to or monitors the behaviour of people who reside in the United Kingdom, or sales representative that manages personal data of those individuals. The representative must be able to show proof of their identity as well as that they are capable of representing the controller or processor of data in respect to the UK GDPR's requirements.

The representative must also be able to communicate with authorities if there is a breach. The representative must inform the supervisory authority that appointed them regardless of whether or not the breach affects individuals in multiple jurisdictions.

It is recommended that the Representative has experience of working with both European and UK-based data protection authorities. It is also recommended for them to be proficient in local languages since they are likely to receive contacts from individuals and data protection agencies in the countries they work in.

The EDPB says that the Representative is responsible for non-compliance. However the UK case of Rondon v. LexisNexis UK Ltd. (2019) EWHC1427 affirmed that a representative can't be sued by anyone who believes that the controller of the data did not comply with GDPR in the UK. This is because according to the court, the Representative has no direct link to the data processing activities carried out by the represented entity.

Who is responsible for appointing the UK Representative?

In order to comply with the EU GDPR, businesses outside of the EU who are aiming their goods or services to European citizens but do not have an office, branch, or establishment within the EU must designate an EU Representative. This is in addition to the requirements of national laws on data protection. The role of a representative is to be the local point of contact for individuals and supervisory bodies regarding GDPR concerns.

The UK has an identical requirement to that of the EU as laid out in Article 27 of UK-GDPR. Similar to the EU requirement, the threshold is low and any business that offers goods or services to, or monitors the conduct of data subjects within the UK must designate an official from the UK sales representative; visit my webpage,.

According to the UK-GDPR, a representative must be authorized in writing by the data subject or the [British Information Commissioner's office] "to be contacted, further or alternatively, on behalf the controller or processor". They cannot be personally accountable for the GDPR's compliance. They must however cooperate with supervisory authorities during formal proceedings, and receive notifications from individuals who exercise their rights. ).

Representatives must be situated within the EU member state where the individuals whose personal data are processed are. This is not a simple decision that requires an in-depth legal and business analysis to determine the right location for an organization. This is why we provide a dedicated service to assist companies in assessing their requirements and deciding on the most appropriate option for them.

It is also recommended that representatives have previous experience in dealing with supervisory authority as well as handling data subject inquiries. Local language skills are also often of importance as the job is likely to be involving dealing with requests from supervisory authorities or data subjects in multiple countries across Europe.

The identity of the Representative should be disclosed to data subjects by including their details in privacy policies and information provided to individuals prior to collecting their data (see Article 13 UK-GDPR). Contact details for the UK Representative should be made available on your website so that supervisory authorities are able to easily contact them.

When do you need to designate the UK Representative?

If your company is located outside of the UK provides goods or services to customers within the UK, or monitors their behavior, you may need to select a UK representative. The UK's Applied EU GDPR regime is available to non-UK established companies which are operating in the UK. It has the same extraterritorial reach as EU GDPR, but with a few exceptions. It is recommended that you take our free self-assessment to see whether you are subject to this obligation.

A representative is appointed by the party appointing under a contract of service to represent that party in relation to certain obligations under UK GDPR and EU GDPR, as applicable. In the UK this would typically involve facilitating communication between the entity that appointed the representative and the Information Commissioner's Office or any individuals affected by the UK. A Representative can either be an individual or a UK-based company. The appointing body must inform individuals who are data individuals that their personal information will be processed by the Representative, and the identity of that individual or company must be made easily accessible to supervisory authorities.

The appointing entity must also provide the contact information of its representative to ICO and data subjects affected in the UK in conformity with Article 13 and 14 of the UK GDPR. It is imperative to make clear that the representative's job is distinct from the one of the role of a Data Protection Officer (DPO), which requires a degree of independence and autonomy not possible for the role of a representative.

If you are required to appoint a UK representative it is recommended to do so as fast as you can. This is because the need for this comes immediately after Brexit (if there is either a 'hard' or "no deal' Brexit) or after an implementation period (if there is a soft or 'with deal' Brexit). There is no grace period.

What are the requirements to become avon representative a UK representative?

According to UK data protection laws the definition of a representative is a person, or a business who is "designated" in writing by an entity that has no physical presence in the UK but is subject to the law. The UK representative should be capable of representing the entity with regard to its obligations under the law, and their contact details must be readily accessible to those who reside in the UK whose personal data is being processed by the non-UK company.

The individual who is the UK Representative must be a senior member of the overseas media or business organisation and have been recruited and subsequently made an employee outside of the UK by the media or business organisation. The person applying for the visa must intend to be employed full-time as the UK representative for the business or media organisation, and they are not allowed to engage in any other business activity in the UK.

The applicant for visas also has to demonstrate that they have the expertise and experience necessary to fulfill the role of a UK representative, which includes serving as the local contact point for individuals who are data subjects as well as UK data protection authorities. The UK Representative must possess sufficient knowledge and understanding of UK laws regarding data protection to be capable of responding to requests and enquiries from data protection authorities and individuals exercising their rights.

As the Brexit process progresses it is likely that the UK data protection laws will be altered over time. However, at the moment it is expected that non-UK businesses who do business in the UK and process personal data of individuals in the UK will need to designate an UK Representative.

This is because article 27 of the GDPR in the United Kingdom which was enacted as an UK national law, requires companies without having a presence in the UK to appoint the position of a UK representative for data protection. If you are not sure whether you need to designate a UK data protection representative, it is recommended that you speak to an experienced legal adviser.