공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has served in various senior positions at the Foreign Office, including as Deputy Ambassador for China and Director of Economic Diplomacy and Emerging Powers. She has also been involved in global trade policy and international issues related to development.

Businesses located outside the UK are obliged to comply with UK privacy laws. They must appoint an official in the UK who will serve as their point-of-contact for data subjects and ICO.

What is what is a UK Representative?

The UK Representative is a person, company or other entity that has been mandated by a controller or processor of data to act on their behalf in all matters related to GDPR compliance. They will be the primary contact point for inquiries from data subjects exercising their rights, or requests from supervisory authorities and may also be subject to national regulations that were enacted in the context of GDPR's extraterritorial reach (see the UK case Rondon v LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of an official representative. This requirement is applicable to all organizations that do not have a permanent location in the United Kingdom but offer goods or services, or observe the actions of those who reside there, or who process personal data. The representative must be able to provide evidence of their identity and that they are able of representing the data controller or processor in respect to the UK GDPR's requirements.

The Representative must be able to communicate with authorities if there's an incident. This is because the Representative has to make a formal notification to the supervisory authority that appointed them regardless of whether the breach impacts the data subject across different jurisdictions.

It is essential that the representative you choose has worked with both European and UK data protection authorities. It is also desirable to have local language skills as they are likely to receive contacts from both individuals and data protection authorities in the countries where they operate.

The EDPB states that the Representative is responsible for any non-compliance. However, the UK case of Rondon v LexisNexis UK Ltd. (2019) EWHC1427 affirmed that a representative cannot be sued by a person who believes that the data controller has failed to comply with GDPR in the UK. This is due to the fact that according to the court the Representative has no direct connection to the processing of data by the representative entity.

Who is required to appoint a UK Representative?

To comply with the EU GDPR, companies outside of the EU that market their products or services for European citizens but do not have an office, branch or establishment within the EU must appoint an EU Representative. This is in addition to requirements of national data protection laws. A representative's job is to be a local point-of-contact for supervisory bodies and individuals regarding GDPR concerns.

The UK has its own equivalent to the EU requirement, which is set out in Article 27 of the UK-GDPR. Similar to the EU requirement the threshold is lower and any business that offers goods or services to, or monitors the conduct of data subjects within the UK must choose becoming an avon representative (www.google.ru) UK Representative.

According to the UK-GDPR, a representative must be approved in writing by the data subjects or the [British Information Commissioner's Office[British Information Commissioner's Office] "to be addressed, additionally or alternately, on behalf the controller or processor". They are not personally responsible for GDPR compliance. However they must cooperate with supervisory authorities in formal proceedings and receive notifications from data subjects who exercise their rights (access request and right to be forgotten etc. ).

Representatives should be based in the EU member state in which the individuals whose personal data are processed reside. In most cases this isn't a straightforward decision to make. A careful business and legal analysis is required to determine the location(s) best suited to an organisation. We provide a specialized service to help companies assess their needs and choose the best representative option.

It is also advisable that representatives have experience working with supervisory authorities and handling data subject requests. The ability to communicate in a local language could be crucial, since the role may involve handling inquiries from data subjects or supervisory authority in multiple countries throughout Europe.

The identity of the representative should be made known to the individuals who are the data subjects via privacy policies and the information given prior to collecting data (see article 13 in the UK-GDPR). Contact information for the UK Representative should be posted on your website so that supervisory authorities can easily reach them.

When do you have to appoint a UK Representative?

If your organisation is located outside of the UK and provides products or services in the UK or monitors the behaviour of individuals, you could be required to appoint an UK Representative. The UK's applied EU GDPR regime is available to non-UK established entities that conduct business in the UK. It has the same extraterritorial scope as EU GDPR, with some exceptions. Take our free self-assessment to check if you're legally bound by this obligation.

A representative is authorised by the appointing entity in a service contract to represent the entity with respect to certain of its obligations under UK and EU GDPR as applicable. In the UK the primary purpose of this would be to facilitate communication between the party that appointed and the Information Commissioner's Office (ICO) or any other affected data subjects in the UK. A Representative could be an individual or a UK-based company. The body that appoints them must inform data subjects that the representative will be processing their personal data and that the identity of the individual or company is readily available to supervisory authorities.

The entity that is appointing the representative must provide the contact details of its Representative to the ICO and all data subjects affected in the UK in conformity with Article 13 and 14 of the UK GDPR. It is imperative to make clear that a representative's role is distinct from the role of the position of a Data Protection Officer (DPO), Becoming an Avon Representative which requires a degree of autonomy and independence not possible for representatives.

If you have to designate a UK representative it is recommended to do so as fast as you can. This is because the requirement will be in effect immediately after Brexit (if there is an 'hard' or 'no deal' Brexit) or after being an avon representative implementation period (if there is a'soft' or 'with deal' Brexit). There is no grace time.

What are the requirements for a UK Representative?

According to UK laws on data protection, a representative is a person, or a business who is "designated" in writing by an entity that doesn't have a physical presence in the UK but is subject to the law. The UK representative should be able to represent an entity in relation to its obligations under law. Their contact details should be readily available to UK residents whose personal information are processed by a non-UK company.

The UK Representative must be an overseas senior member of a business or media organization and have been hired and employed as an employee by the media or business entity located outside the UK. The person applying for the visa must intend to be full-time employed as the UK representative for the business or media organization, and they must not engage in any other business activities in the UK.

The applicant also has to prove they have the knowledge and experience required to perform their role as UK representative, which entails acting as an individual point of contact with data subjects and UK authorities for data protection. This is to ensure that the UK Representative is well-informed of and understanding of the UK data protection laws and can be able to respond to requests from individuals exercising their rights under the law in addition to any other requests or enquiries received from data protection authorities.

As the Brexit process moves forward it is likely that the UK laws on data protection are going to change over time. At the moment, however it is expected of non-UK companies that do business in the UK and collect personal data on individuals in the UK, to appoint UK representatives.

It is because article 27 of the UK's GDPR that was adopted as a UK national law, requires all entities that do not have any presence in the UK to nominate a UK data protection representative. If you are not sure whether you are required to designate the position of a UK representative for data protection it is recommended that you consult an experienced lawyer.