공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a variety of senior positions in the Foreign Office including Deputy Ambassador to China and Director for economic diplomacy and Emerging Powers. She has also been involved in global trade policy and international issues.

Companies that are not based in the UK must comply with UK privacy laws. They must designate a representative in the UK to act as their point of contact for data subjects and the ICO.

What is a UK Representative?

The UK Representative is a person, business or other entity that has been mandated by a controller or processor of data to act on their behalf in all matters related to GDPR compliance. They will be the main contact point for any inquiries from data subjects who exercise their rights or requests from supervisory authorities. They may be subject to national requirements that have been implemented due to the GDPR’s extraterritorial reach (see the UK case Rondon against LexisNexis Risk Solutions).

The appointment of Representatives is required under Article 27 of the EU GDPR, and the UK equivalent, Section 3(2) of the Data Protection Act 2018. This requirement applies to all companies that do not have a permanent presence in the United Kingdom but offer goods or services, or observe the actions of individuals located there or who handle personal data. The representative must be able to provide evidence of their identity and that they are competent in representing the controller or processor of data in relation to the UK GDPR's requirements.

The representative must be able to communicate with authorities if there's an incident. This is because the Representative must make a formal notification to the supervisory authority who appointed them regardless of whether the breach affects individuals across different jurisdictions.

It is recommended that your representative has worked with both European and UK-based authorities for data protection. It is also recommended for them to speak a local language because they will receive calls from individuals and agencies in the countries they operate in.

The EDPB declares that the Representative is accountable for non-compliance. However, the UK case of Rondon v. LexisNexis UK Ltd. (2019) EWHC1427 affirmed that a representative is not able to be sued by anyone who believes that the controller of the data has failed to comply with GDPR in the UK. The court found that the Representative was not in direct connection with the data processing activities of the entity that it represented.

Who is responsible for appointing the UK Representative?

To be in compliance with the EU GDPR, businesses that are not part of the EU who are aiming their goods or services to European citizens, but do not have becoming an avon representative office, branch, or establishment within the EU must designate an EU Representative. This is in addition to the requirements of national laws on data protection. A representative's job is to be a local point-of-contact for individuals and supervisory bodies in relation to GDPR issues.

The UK has an identical requirement to that of the EU that is described in Article 27 of UK-GDPR. As with the EU requirement the threshold is not high: any organisation that offers goods or services to or monitors the behavior being an Avon Representative of data subjects in the UK must designate an official from the UK Representative.

According to the UK-GDPR a representative must be authorized in writing by the data subject or the [British Information Commissioner's Office[British Information Commissioner's Office] "to be contacted, further or alternatively, on behalf the controller or processor". They are not able to be held personally liable for the GDPR's compliance. However they must cooperate with supervisory authorities in formal proceedings and also receive information from data subjects who exercise their rights (access request or right to be forgotten etc. ).

Representatives should be located in the member state of the European Union in which the individuals whose personal data is processed are resident. In the majority of cases, this will not be an easy decision to make and a careful business and legal analysis is required to determine the location(s) most appropriate for an organization. For being an Avon representative this reason we offer an individualized service that assists organisations in assessing their needs and selecting the best Representative option.

It is also advisable that representatives have experience working with supervisory authorities and dealing with requests from data subjects. Language skills in the local area are important since the job will be involving dealing with requests from data subjects or supervisory authorities across Europe.

The identity of the Representative should be made clear to the individuals who are data subjects by incorporating their details in privacy policies as well as the information provided to individuals before collecting their data (see Article 13 of the UK-GDPR). Contact information for the UK Representative should be published on your website so that supervisory authorities are able to easily contact them.

When do you need to appoint an UK Representative?

If your company is located outside the UK, offers goods or services to customers who reside in the UK, or monitors their behavior, you may need to appoint the position of a UK Representative. The UK's applied EU GDPR regime applies for non-UK established entities that are performing activities in the UK. It has the same extraterritorial reach as EU GDPR, with some exceptions. It is recommended that you take our free self-assessment to determine if you are subject to this obligation.

A representative is appointed by the appointing entity in a service contract to act on behalf of the entity in relation to a number of its obligations under the UK and EU GDPR if applicable. In the UK the primary purpose of this is to facilitate communication between the appointing entity and the Information Commissioner's Office (ICO) or any other affected data subjects in the UK. A Representative can either be an individual or a company with a UK base. The entity that is appointing the representative must inform individuals who are data subjects that their personal information will be processed by the Representative, and the identity of that person or company should be readily available to supervisory authorities.

The entity that appointed the representative must provide the contact details of its Representative to the ICO and the data subjects that are affected in the UK in accordance with Article 13 as well as 14 of the UK GDPR. It must be made clear that the representative's job is different from the role of the role of a Data Protection Officer (DPO), which requires a degree of autonomy and independence that is not available to the role of a representative.

If you are required to designate a UK representative it is recommended to do so as fast as possible. This is because the requirement arises immediately upon Brexit (if there is a 'hard' or 'no deal' Brexit) or after an implementation period (if there is a soft or "with deal" Brexit). There is no grace period.

What are the requirements for the designation of a UK Representative?

Under the UK laws on data protection (and specifically article 27 of the UK GDPR) A representative is an individual or company that is "designated in writing" by an entity that does not have a presence in the UK but is subject to the provisions of the law. The UK representative has to be able to represent the entity with regard to its obligations under the law, and their contact details must be readily available to those in the UK who have personal information being an avon for representatives representative (moved here) processed by a non-UK-based business.

The UK Representative must be an overseas senior employee of a media or business organization and have been hired and employed as an employee of the media or business entity outside the UK. The visa applicant must plan to work as the UK representative of the business or media organization full-time and not engage in any other business activities within the UK.

The applicant also has to prove that they have the knowledge and experience necessary to fulfill their role as UK representative, which entails acting as the local point of contact for the data subjects and UK data protection authorities. This is to ensure that the UK Representative has sufficient knowledge of and expertise in the UK data protection laws and is able to respond to requests from individuals exercising their rights under the law and any other inquiries or requests received from data protection authorities.

As the Brexit process continues, it is likely that the UK laws regarding data protection will evolve as time passes. At present it is expected that companies from outside the UK who do business in the UK and handle personal data of individuals in the UK will need to appoint a UK representative.

This is because the UK GDPR requires that entities with no UK presence must appoint representatives under article 27 of the UK GDPR which is regarded as a national law in the UK. If you are not sure whether you are required to designate the position of a UK data protection representative It is suggested that you speak to an experienced lawyer.