공지사항

what is an avon representative Is a UK Representative and Why Do You Need One?

Natacha has served in various senior positions at the Foreign Office, including as the Deputy Ambassador for China and Director responsible for Economic Diplomacy and Emerging Powers. She has also worked on global trade policy as well as international issues related to development.

Businesses located outside the UK are required to adhere to UK privacy legislation. They must choose an official in the UK who will serve as their point-of-contact for data subjects and ICO.

What is what is a UK representative?

The UK Representative is an individual, company or organisation mandated in writing by a data controller or processor to act on their behalf regarding the GDPR's compliance issues in general. They will be the main point of contact for queries from individuals exercising rights or requests from supervisory authorities. They may also be subjected to national requirements that have been put in place due to the GDPR's extraterritorial reach (see the UK case Rondon against LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent Section 3.2.2 of the Data Protection Act 2018, require the appointment of an official representative. This requirement applies to all companies that do not have a permanent presence in the United Kingdom but offer goods or services, or monitor the behavior of people who are located in the United Kingdom or process personal data. The Representative must be able prove their identity, and also prove that they can be the data processor or controller in relation to UK GDPR requirements.

In addition to acting as a means for individuals to exercise their rights under GDPR and rights, the representative must be able to communicate with authorities in the event of a breach. The Representative must notify the supervisory authority that appointed them regardless of whether or not the breach affects data subjects across multiple jurisdictions.

It is recommended that the Representative has experience of working with both European and UK representative UK-based data protection authorities. It is also desirable to are fluent in the local language because they are likely to receive contact from both individuals and data protection authorities in the countries where they work.

Although the EDPB states that the Representative must be held accountable in the event of non-compliance the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has confirmed that a Representative can't be sued by a person for the alleged failure to comply with the UK GDPR. This is because, according to the court, the Representative has no direct link to the processing of data by the entity that is represented.

Who needs to appoint the UK Representative?

In order to comply with the EU GDPR, companies outside of the EU that are targeting goods or services to European citizens, but do not have an office, branch or establishment within the EU must designate an EU Representative. This is in addition to the requirements from national laws regarding data protection. A representative's job is to be the local point of contact for individuals and supervisory bodies regarding GDPR-related issues.

The UK has its own version to the EU requirements, as laid in Article 27 of the UK-GDPR. Similar to the EU requirement the threshold is lower and any business that offers goods or services to, or monitors the behavior of data subjects in the UK must appoint a UK Representative.

Under the UK-GDPR, a Representative must be mandated in writing "to be additionally or alternatively, addressed on behalf of the controller or processor by the data subjects and the [British Information Commissioner's Office]". They are not personally responsible for GDPR compliance. They must, however, cooperate with supervisory authorities during formal proceedings, and also receive notifications from individuals who exercise their rights. ).

Representatives must be located in the state of the European Union in which the individuals whose personal information is processed reside. Most of the time, this isn't a straightforward decision to make and a thorough analysis of legal and business aspects is required to determine the location(s) most appropriate for an organisation. We provide a specialized service that helps organisations determine their needs and select the best representative option.

It is also recommended that representatives have experience working with supervisory authorities and dealing with requests from data subjects. Language skills in the local language can also be crucial, since the job could involve dealing with inquiries by data subjects or supervisory authority in multiple countries throughout Europe.

The identity of the representative must be disclosed to people who have data through privacy policies and other information that is provided prior to the collection of data (see article 13 in the UK-GDPR). Contact information for the UK Representative should be published on your website so that supervisory authorities can easily reach them.

When do you have to designate a UK Representative?

If your business is based outside of the UK offers products or UK Representative services to people in the UK, or monitors their behaviour, you may need to select an UK Representative. The UK's Applied GDPR system is applicable to established non-UK entities that are conducting business in the UK and has the same scope of extraterritorial application as the EU GDPR (with some exceptions). You should take our free self-assessment to see whether you have this obligation.

A representative is appointed by the party appointing under a contract of service to represent that party in relation to specific obligations under the UK GDPR and EU GDPR, if applicable. In the UK, the main purpose of this is to facilitate communication between the party that appointed and the Information Commissioner's Office (ICO) or any affected data subjects in the UK. A Representative could be an individual or a company with a UK base. The entity that is appointing the representative must make it clear to the data users that their personal data will be processed by the Representative and the identity of that individual or company has to be readily available to supervisory authorities.

The entity that appointed the representative must provide the contact information of its representative to ICO and all data subjects affected in the UK in accordance with Article 13 and 14 of UK GDPR. It must be made clear that the representative's job is distinct from the role of the position of a Data Protection Officer (DPO), which requires a degree of autonomy and independence not possible for a representative.

If you need to appoint a UK representative, it is best to do so as fast as you can. This is because the requirement will be in effect immediately following Brexit (if there is an 'hard' or 'no deal' Brexit) or after an implementation period (if there is a soft or 'with deal' Brexit). There is no grace period.

What are the requirements for the designation of a UK Representative?

According to UK data protection laws, a representative is a person or company who is "designated" in writing by an entity that does not have a physical presence in the UK however is subject to the law. The UK representative should be able to represent an entity with respect to its legal obligations. Contact details for representatives should be readily accessible to UK residents whose personal data are processed by a non-UK company.

The individual who is the UK Representative must be a senior worker of the overseas media or business organisation and has been enlisted and subsequently made an employee outside the UK by that media or business organisation. The applicant for the visa must be planning to serve as the UK representative for the business or media organisation full-time, and must not be engaged in any other business activities within the UK.

In addition the visa applicant must demonstrate the required skills and experience to perform their role as a UK Representative which includes serving as local contact for inquiries from data subjects as well as the UK authorities for data protection. This is to ensure that the UK Representative is knowledgeable of and understanding of the UK data protection laws and can be able to respond to requests from individuals exercising their rights under the law in addition to any other inquiries or requests received from authorities dealing with data protection.

As the Brexit process continues it is expected that the UK laws on data protection will evolve in the future. At present it is expected that companies from outside the UK that do business in the UK and collect personal information of individuals in the UK will be required to appoint an official from the UK representative.

This is because the UK GDPR requires that entities with no UK presence must appoint representatives under article 27 of the UK GDPR which has been incorporated as a national law in the UK. If you are unsure of whether you need to designate a UK representative for data protection, it is recommended that you consult an experienced lawyer.