공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a variety of high-level positions within the Foreign Office including Deputy Ambassador to China and Director of Economic diplomacy and Emerging Powers. She has also been involved in global trade policy and international issues.

Companies that are located outside of the UK are obliged to comply with UK privacy legislation. They must appoint an official in the UK who will serve as their point-of-contact for people who are data subjects and ICO.

What is what is a UK Representative?

The UK Representative is a person, company or organisation who has been appointed by a controller or processor of data to act in their behalf on all matters related to GDPR compliance. They will be the main point of contact for inquiries from data subjects exercising rights or requests from supervisory authorities. They may also be subject to national regulations which have been imposed due to the GDPR’s extraterritorial scope (see the UK case Rondon against LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of a representative. The requirement applies to any company that does not have a separate establishment within the United Kingdom and that offers goods or services to or monitors the behaviour of individuals located in the United Kingdom, or that manages personal data of those individuals. The Representative must be able provide proof of their identity and prove that they can represent the data processor or controller in respect to UK GDPR requirements.

The Representative must also be able to communicate with authorities in the event of an incident. This is because the Representative has to make a formal notification to the supervisory authority that appointed them, regardless of whether the breach impacts the data subject across multiple jurisdictions.

It is recommended that your chosen representative has worked with both European and UK-based authorities for data protection. It is also desirable for them to be proficient in local languages because they will receive contacts from individuals and agencies in the countries they operate in.

The EDPB says that the Representative is accountable for any non-compliance. However the UK case of Rondon v LexisNexis UK Ltd. (2019) EWHC1427 has confirmed that a representative can't be sued by a person who believes that the controller of the data has failed to meet the GDPR requirements in the UK. The court concluded that the Representative did not have a direct connection with the data processing activities of the entity that it represented.

Who is required to appoint an UK Representative?

In order to comply with the EU GDPR, businesses that are not part of the EU that market their products or services for European citizens but do not have an office, branch, or establishment in the EU must designate an EU Representative. This is in addition to the requirements from national laws on data protection. The purpose of a Representative is to be the local point of contact for supervisory authorities and individuals regarding GDPR compliance issues.

The UK has similar requirements to the EU as laid out in Article 27 of the UK-GDPR. As with the EU requirement the threshold is lower and any business that offers products or services to, or UK representative monitors the conduct of data subjects within the UK must designate an UK representative.

In accordance with the UK-GDPR, a representative must be approved in writing by the data subject or the [British Information Commissioner's office[British Information Commissioner's Office] "to be contacted, in addition or alternatively, on behalf the controller or processor". They cannot be held personally accountable for GDPR compliance. They must, however, cooperate with supervisory authorities in formal proceedings, and also receive messages from those who exercise their rights. ).

Representatives should be based in the EU member state where the people whose data are processed reside. This is not a simple choice and requires a thorough business and legal analysis to determine the best location for a company. For uk representative this reason we offer an unrivalled service to assist organizations in assessing their needs and choosing the best representative option.

It is also recommended that representatives have previous experience in dealing with supervisory authority as well as handling data subject inquiries. The ability to communicate in a local language could be important, as the job may require dealing with inquiries by data subjects or supervisory authority in a variety of countries across Europe.

The identity of the representative must be made known to the data subjects through the privacy policies and the information given prior to collecting data (see article 13 UK-GDPR). The UK Representative's contact information should also be made available on your website, allowing an easy way for supervisory authorities to get in touch with them.

When are you required to designate a UK Representative?

If your company is located outside of the UK and offers products or services in the UK or monitors the behavior of individuals, you could be required to appoint an UK Representative. The UK's applied EU GDPR regime applies for established entities outside the UK that conduct business in the UK. It has the same extraterritorial scope as EU GDPR, with some exceptions. You should take our free self-assessment to see whether you are subject to this obligation.

A representative is authorised by the entity that appointed them under a service contract to represent that entity with regard to a number of its obligations under UK and EU GDPR if applicable. In the UK, this would primarily involve facilitating communications between the entity that appointed the representative and the Information Commissioner's Office or any individuals affected by the UK. A Representative could be an individual or a company with a UK base. The appointing entity must make it clear to the data individuals that their personal information will be processed by the Representative and the identity of the individual or company has to be readily available to supervisory authorities.

In accordance with Articles 13 & 14 of the UK GDPR The appointing entity is also required to provide the contact details of its representative to the ICO as well as to individuals who are data subjects in the UK. It must be clear that the role of a Representative is distinct from and incompatible with the role of the role of a Data Protection Officer ("DPO") which requires a certain degree of independence and autonomy that cannot be provided by a representative.

If you are required to appoint an official from the UK representative the process should be completed as soon as you can. This is because this requirement arises either immediately after Brexit (if it is a "hard" or "no deal" Brexit) or following an implementation period (if it is an "soft" or a "with deal". There is no grace period.

What are the requirements for a UK Representative?

According to UK laws on data protection A representative is a person, or a business who is "designated" in writing by a company that does not have a physical presence in the UK, but is still subject to the law. The UK representative must be able to represent the entity in compliance with its legal obligations, and their contact details should be made readily available to anyone who reside in the UK whose personal data is being processed by a non-UK-based business.

The person who is the UK Representative must be a senior member of the foreign media or business organization and has been hired and appointed as an employee outside of the UK by that media or business. The visa applicant must plan to serve as the UK representative for the media or business organisation full-time, and must not be engaged in any other business activities within the UK.

Additionally the visa holder must demonstrate the necessary knowledge and skills to fulfill their role as a UK Representative which includes serving as the local point of contact for queries from data subjects and the UK authorities for data protection. The UK Representative must have the knowledge and expertise of UK laws regarding data protection to be capable of responding to queries or requests from data protection authorities and individuals exercising their rights.

As the Brexit process continues it is likely that the UK laws on data protection will change over time. At present it is expected that non-UK businesses who do business in the UK and handle personal data of individuals in the UK will need to appoint an official from the UK representative.

It is because article 27 of the UK's GDPR, which was retained as a UK national law, Local become avon representative Representative (Designdarum.Co.Kr) requires entities without a UK-based presence to appoint an UK representative for data protection. If you're unsure whether you require a UK representative for data protection, it's recommended that you seek out a knowledgeable legal advisor.