공지사항

What Is a UK Representative and Why Do You Need One?

Natacha has held a variety of high-level positions within the Foreign Office including Deputy Ambassador to China and Director for sales-representative, tujuan.grogol.us, economic diplomacy and Emerging Powers. She also worked on global trade policy as well as international issues related to development.

Businesses established outside of the UK must adhere to UK privacy laws. They must designate a representative in the UK to act as their point of contact for data subjects, as well as the ICO.

What is an UK representative?

The UK Representative is a person, business or other entity that has been authorised by a data processor or controller to act on their behalf on all matters relating to GDPR compliance. They will be the primary contact point for inquiries from individuals exercising their rights or requests from supervisory authorities. They could be subject to national regulations that were enacted as a result of the GDPR's extraterritorial scope (see the UK case Rondon v LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of an official representative. This requirement is applicable to all companies that do not have a permanent establishment in the United Kingdom but offer goods or services, or observe the actions of individuals located there, or who process personal data. The representative must be able to show proof of their identity and that they are able of representing the controller or processor of data in respect to the UK GDPR's requirements.

In addition to acting as a portal avon for representatives individuals to exercise their GDPR rights as well as a means for individuals to exercise their rights under GDPR, the representative must also able to communicate with authorities in the event of an incident. This is because the Representative has to make a formal notification to the supervisory authority who appointed them, regardless of whether the breach impacts data subjects across different jurisdictions.

It is recommended that your chosen Representative has experience working with both European and UK-based data protection authorities. It is also desirable that they have local language skills as they are likely to receive contacts from both individuals and data protection authorities in the countries in which they operate.

The EDPB says that the Representative is accountable for any non-compliance. However, the UK case of Rondon v LexisNexis UK Ltd. (2019) EWHC1427 affirmed that a representative is not able to be sued by someone who believes the controller of the data has failed to meet the GDPR requirements in the UK. This is due to the fact that according to the court, the Representative has no direct link to the processing of data by the represented entity.

Who should be appointed an UK Representative?

In order to comply with the EU GDPR, companies outside of the EU that market their products or Sales-Representative services towards European citizens but do not have an office, branch or establishment in the EU must designate an EU Representative. This is in addition to requirements from national data protection laws. The function of a representative is to be the local point of contact for supervisory authorities and individuals in relation to GDPR compliance issues.

The UK has a similar requirement to the EU, which is outlined in Article 27 of UK-GDPR. The threshold is the same as the EU requirement: any organisation providing goods or services within the UK, Sales-Representative or monitoring the behaviour of individuals who are data subjects, must designate an UK Representative.

In accordance with the UK-GDPR, a representative must be authorised in writing by the data subject or the [British Information Commissioner's Officeto be able "to be contacted, further or alternatively, on behalf of the controller or processor". They are not personally accountable for GDPR compliance. However they must cooperate with supervisory authorities in formal proceedings and also receive information from data subjects exercising their rights (access request, right to be forgotten etc. ).

Representatives should be based in the EU member state in which the individuals whose data are processed reside. Most of the time, this will not be an easy decision to make and a thorough analysis of legal and business aspects is required to assess the location(s) most suitable for an organisation. This is why we provide an unrivalled service to assist companies in assessing their requirements and deciding on the most appropriate representative option.

It is also recommended that representatives have experience working with both supervisory authority and dealing with inquiries from data subjects. The ability to communicate in a local language could be essential, as the job may require dealing with inquiries by supervisory authority or data subjects in multiple countries throughout Europe.

The identity of the Representative should be disclosed to the individuals who are data subjects by incorporating their information in privacy policies and information provided to individuals prior to collecting their personal data (see Article 13 UK-GDPR). The UK Representative's contact details should also be made available on your website, allowing easy access for supervisory authorities to get in touch with them.

When do you have to designate an UK Representative?

If your company is located outside of the UK and provides goods or services in the UK or monitors the conduct of individuals, you may be required to appoint an UK Representative. The UK's Applied EU GDPR regime applies for established entities outside the UK which are operating in the UK. It has the same extraterritorial reach as EU GDPR, with some exceptions. Take our free self-assessment and check if you're required to comply with this obligation.

A Representative is appointed by the appointing party under an agreement of service to act for that party in relation to certain obligations under the UK GDPR and EU GDPR, as applicable. In the UK it would involve facilitating communication between the appointing entity and the Information Commissioner's Office or any data subjects that are affected in the UK. A Representative can either be an individual or a company with a UK base. The body that appoints them must inform the data subjects that the Representative is processing their personal data and that the identity of the individual or company is readily accessible to supervisory authorities.

The appointing entity must also provide the contact information of its representative to ICO and the data subjects that are affected in the UK in accordance with Article 13 as well as 14 of UK GDPR. It is essential to make clear that the function of a Representative is distinct from and not compatible with the role of a Data Protection Officer ("DPO") that requires a degree of independence and autonomy that cannot be provided by a Representative.

If you are required to appoint a UK representative, it is best to do so as fast as possible. This is because the requirement arises immediately upon Brexit (if there is either a 'hard' or "no deal' Brexit) or after an implementation period (if there is a soft or "with deal" Brexit). There is no grace period.

What are the requirements for the designation of a UK Representative?

According to UK laws on data protection, a representative is a person or company who is "designated" in writing by a company that has no physical presence in the UK, but is still subject to the law. The UK representative has to be capable of representing the entity in compliance with its obligations under the law and their contact information should be made readily available to anyone who reside in the UK who have personal information being processed by the non-UK company.

The UK Representative must be an overseas senior member of a business or media company, and have been hired and employed as an employee by the media or business entity located outside the UK. The visa applicant must genuinely intend to be full-time employed as the UK representative for the media or business company, and are not allowed to engage in any other business ventures in the UK.

In addition the visa applicant must demonstrate the necessary skills and experience to fulfill their role as a UK Representative which includes serving as the local point of contact for any queries from data subjects and the UK data protection authorities. The UK Representative must have sufficient experience and knowledge of UK laws regarding data protection to be able to respond to any inquiries and requests from data protection authorities as well as individuals exercising their rights.

As the Brexit process continues it is likely that the UK laws regarding data protection will evolve over time. At present, it is expected that non-UK businesses who do business in the UK and handle personal data of people in the UK will be required to appoint an official from the UK Representative.

This is because the UK GDPR requires that entities that do not have a UK presence must appoint representatives under article 27 of the UK GDPR which is regarded as a law of the nation in the UK. If you're unsure whether you need a UK representative for data protection, it's recommended that you consult a qualified legal professional.