공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a number of senior positions in the Foreign Office including Deputy Ambassador to China and Director of Economic diplomacy and Emerging Powers. She has also worked in global trade policy and international issues.

Companies that are not based in the UK must adhere to UK privacy laws. They must choose a representative in the UK who will act as their point of contact for people who are data subjects and ICO.

What is what is an avon representative is a UK representative?

The UK Representative is a person, business or organization who has been appointed by a controller or processor of data to act in their behalf on all matters related to GDPR compliance. They will be the primary point of contact for inquiries from data subjects who exercise their rights or [Redirect-Meta-10] requests from supervisory authority. They could also be subject to national regulations which have been imposed due to the GDPR’s extraterritorial scope (see the UK case Rondon against LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of an official representative. The requirement applies to any organization that does not have its own establishment within the United Kingdom and that offers products or services to or monitors the behavior of individuals residing in the United Kingdom, or that handles personal data of these individuals. The Representative must be able to show proof of their identity as well as that they are capable of representing the controller or processor of data in respect to the UK GDPR's obligations.

The Representative must also be able communicate with authorities if there's an incident. The representative must inform the supervisory authority who appointed them regardless of whether or not the breach affects data subjects in multiple jurisdictions.

It is recommended that your chosen representative has worked with both European and UK-based data protection authorities. It is also beneficial for them to be proficient in local languages, as they will likely receive contacts from individuals and agencies in the countries where they work in.

The EDPB states that the Representative is responsible for non-compliance. However the UK case of Rondon v LexisNexis UK Ltd. (2019) EWHC1427 affirmed that a representative can't be sued by anyone who believes that the controller of the data did not comply with GDPR in the UK. This is because according to the court, the Representative has no direct connection to the processing of data by the entity that is represented.

Who is required to appoint the UK Representative?

The EU GDPR requires that non-EU businesses with no office, branch or establishment in the EU and that are targeting products or services to European citizens must appoint a Representative. This is in addition to the requirements from national data protection laws. A Representative's role is to act as an individual point of contact for individuals and supervisory bodies in relation to GDPR issues.

The UK has its own equivalent to the EU requirement, set in Article 27 of the UK-GDPR. As with the EU requirement the threshold is lower for any company that provides goods or services to or monitors the behavior of data subjects within the UK must designate an UK Representative.

Under the UK-GDPR, a Representative must be formally authorized "to be addressed, in addition or alternatively addressed, on behalf of the controller or processor by the data subjects and the [British Information Commissioner's Officethe [British Information Commissioner's Office]". They are not personally responsible for GDPR compliance. However, they must cooperate with supervisory authorities in official proceedings and receive communications from data subjects who exercise their rights (access request or right to be forgotten, etc. ).

Representatives should be based in the EU member state where the people whose data are processed are. This is not an easy decision that requires an extensive legal and business analysis to determine the right location for an organisation. We provide a specialized service that helps organisations assess their needs and choose the most suitable representative choice.

It is also recommended that Representatives have experience interacting with both supervisory authority and handling data subject inquiries. The ability to communicate in a local language could be essential, as the role may involve handling inquiries from data subjects or supervisory authority in multiple countries throughout Europe.

The identity of the representative should be clarified to the data subjects by including their details in privacy policies as well as the information provided to individuals prior to collecting their personal data (see Article 13 UK-GDPR). Contact information for the UK Representative should be posted on your website so that supervisory authorities can easily reach them.

When do you have to nominate the UK Representative?

If your business is based outside the UK offers goods or services to customers in the UK, or monitors their behaviour and conducts surveillance, you may have to designate the position of a UK Representative. The UK's applied EU GDPR regime is applicable to non-UK established entities that are performing activities in the UK. It has the same reach as EU GDPR, with limited exceptions. It is recommended that you take our free self-assessment and find out if you are subject to this obligation.

A Representative is appointed by the party appointing under a contract of service to act for that party in relation to certain obligations under the UK GDPR and EU GDPR, if applicable. In the UK this would typically involve facilitating communication between the appointing entity and Information Commissioner's Office or any data subjects that are affected in the UK. A Representative could be an individual or a business that is established in the UK. The appointing body must inform data subjects that the Representative will be processing their personal data and ensure that the identity of the individual or business is readily accessible to supervisory authorities.

The entity that is appointing the representative must provide the contact details of its representative to ICO and data subjects affected in the UK in accordance with Article 13 as well as 14 of UK GDPR. It is essential to make clear that the job of a Representative is separate from and incompatible with the role of a Data Protection Officer ("DPO") that requires a certain degree of autonomy and independence that cannot be provided by a Representative.

If you have to nominate an UK representative the process should be completed as soon as you can. This is because the requirement will be in effect immediately upon Brexit (if there is a 'hard' or 'no deal' Brexit) or after an implementation period (if there is a soft or 'with deal' Brexit). There is no grace period.

What are the requirements to become a UK representative?

According to UK data protection laws A representative is a person, or a business who is "designated" in writing by a company that doesn't have a physical presence in the UK however is subject to the law. The UK representative should be able to represent an entity in relation to its legal obligations. Contact details for representatives should also be readily available to UK residents whose personal details are being processed by a non-UK business.

The individual who is the UK Representative must be a senior member of the foreign media or business organisation and have been recruited and subsequently made an employee outside of the UK by the media or business. The visa applicant must intend to work as the UK representative for the media or business organisation full-time, and must not be engaged in other business activities in the UK.

Additionally, the visa applicant must prove that they have the necessary skills and experience to perform their role as a UK Representative, which will include acting as the local avon representative point of contact for any queries from data subjects and the UK data protection authorities. This is to ensure that the UK Representative has sufficient knowledge of and expertise in the UK data protection laws, and is able to respond to requests from individuals exercising their rights under the law, as well as any other inquiries or requests received from authorities dealing with data protection.

As the Brexit process continues it is likely that the UK data protection laws will change as time passes. In the present, however, it is expected for companies that are not based in the UK, but do business in the UK, and this hyperlink process personal data on individuals in the UK to nominate UK representatives.

This is because article 27 of the GDPR in the United Kingdom that was adopted as a UK national law, requires all entities that do not have any presence in the UK to nominate a UK representative for data protection. If you're not sure whether you need a UK representative for data protection it is advised to consult a qualified legal professional.