공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a number senior positions at the Foreign Office, including as the Deputy Ambassador for China and Director for Economic Diplomacy and Emerging Powers. She has also worked in global trade policy and international issues.

Businesses that are not located in the UK are required to adhere to UK privacy legislation. They must appoint a representative in the UK to serve as their point of contact for data subjects as well as the ICO.

What is what is a UK Representative?

The UK Representative is a person, company or organisation that has been authorised by a controller or processor of data to act in their behalf in all matters related to GDPR compliance. They will be the primary point of contact for enquiries from individuals exercising their rights, or for requests from supervisory authorities. They could be subject to national requirements which have been implemented as a result of the GDPR's extraterritorial scope (see the UK case Rondon v LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of an official representative. This requirement applies to all companies that do not have a permanent establishment in the United Kingdom but offer goods or services, or observe the actions of those who reside there, or who process personal data. The representative must be able to authentic proof of their identity and prove that they can represent the data processor or controller in respect to UK GDPR obligations.

As well as acting as a platform for individuals to exercise their GDPR rights, the Representative must be in a position to communicate with authorities in the event of an incident. The representative must notify the supervisory authority that appointed them regardless of whether the breach affects data subjects in multiple jurisdictions.

It is recommended that your Representative has experience working with both European and UK-based data protection authorities. It is also desirable to have a local language proficiency because they are likely to receive calls from both individuals and data protection authorities in the countries in which they work.

Although the EDPB states that the Representative should be held accountable in the event of non-compliance, the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has confirmed that a Representative can't be sued by a person for the inability to comply with the UK GDPR. The court concluded that the Representative had no direct connection to the processing of data by the represented entity.

Who is responsible for appointing the UK Representative?

The EU GDPR stipulates that businesses outside of the EU, without an office, branch or establishment in the EU, that target goods or services at European citizens, must designate a Representative. This is in addition to the requirements of national laws on data protection. The role of a Representative is to act as a local point of contact for supervisory authorities and individuals in relation to GDPR compliance issues.

The UK has an identical requirement to that of the EU that is described in Article 27 of UK-GDPR. The threshold is the same as that of the EU requirement: any organisation that offers goods or services in the UK or monitoring the conduct of the data subjects, has to appoint an UK Representative.

Under the UK-GDPR, a Representative must be appointed in writing "to be, additionally or alternatively, addressed on behalf of the controller or processor by the data subjects and the [British Information Commissioner's Office[British Information Commissioner's Office]". They cannot be held personally accountable for GDPR compliance. However they must cooperate with supervisory authorities in official proceedings and receive information from data subjects exercising their rights (access request or right to be forgotten, etc. ).

Representatives must be located in the Member State of the European Union in which the individuals whose personal data is processed reside. This is not a simple choice and requires an in-depth legal and business analysis to determine the best location for a company. For this reason we offer an unrivalled service to assist companies in assessing their requirements and deciding on the most appropriate option for them.

It is also recommended that Representatives have experience in interacting with both supervisory authorities and handling data subject requests. Language skills in the local area are often of importance as the role is likely to include dealing with inquiries from supervisory authorities or data subject across Europe.

The identity of the representative avon should be disclosed to individuals who are the data subjects via privacy policies and the information given prior to collecting data (see article 13 of the UK-GDPR). The UK Representative's contact details should also be made available on your website, allowing an easy way for supervisory authorities to connect with them.

When is the best time to appoint a UK Representative?

If your company is located outside the UK, offers goods or services to customers within the UK or monitors their behaviour it is possible to appoint a UK Representative. The UK's Applied EU GDPR regime is applicable to non-UK established companies which are operating in the UK. It has the same extraterritorial scope as EU GDPR, with some exceptions. It is recommended that you take our free self-assessment to see whether you are subject to this obligation.

A representative is appointed by the party appointing under an agreement of service to act for that party with respect to certain obligations under the UK GDPR and intercs.co.kr EU GDPR, if applicable. In the UK, this would primarily involve facilitating communication between the entity that appointed the representative and the Information Commissioner's Office or any individuals affected by the UK. Representatives can be an individual or a company which is based in the UK. The body that appointed them must inform data subjects that the Representative will be processing their personal data and that the identity of the person or company is readily accessible to supervisory authorities.

The appointing entity must also provide the contact information of its Representative to the ICO and all data subjects affected in the UK in accordance with Article 13 as well as 14 of the UK GDPR. It is essential to clarify that the representative's job is different from the role of a Data Protection Officer (DPO) which requires a level of independence and autonomy that is not achievable for the role of a representative.

If you need to designate a UK representative It is advised to do so as fast as possible. This is because the obligation is either immediately following Brexit (if it's a "hard" or "no deal" Brexit) or following an implementation period (if it is a "soft" or "with deal". There is no grace period.

What are the requirements for the designation of a UK Representative?

Under the UK law on data protection (and specifically article 27 of the UK GDPR) Representatives are an individual or a company that is "designated in writing" by an entity that does not have a presence in the UK but is subject to the requirements of the law. The UK representative must be able to represent the entity in compliance with its obligations under the law and their contact information must be readily accessible to individuals within the UK who have personal data being processed by a non-UK company.

The person who is the UK Representative must be a senior employee of the foreign business or media organisation and has been hired and subsequently made an employee outside of the UK by that media or business. The visa applicant must intend to work as the UK representative of the business or media organization full-time and not engage in other business activities in the UK.

The applicant for visas also has to prove that they have the skills and experience necessary to fulfill their role as UK representative, which entails being an individual point of contact for the data subjects and UK data protection authorities. The UK Representative must have sufficient knowledge and expertise of UK laws regarding data protection to be capable of responding to requests and enquiries from data protection authorities as well as individuals exercising their rights.

As the Brexit process progresses and the process continues, it is likely that UK laws on data protection will be altered over time. At present it is expected that non-UK businesses who do business in the UK and collect personal information of individuals in the UK will need to designate a UK Representative.

This is because article 27 of the GDPR in the United Kingdom which was enacted as a UK national law, requires entities without having a presence in the UK to appoint an UK representative for data protection. If you're not sure whether you should nominate a UK representative for data protection it is recommended that you consult an experienced lawyer.