Dataologie Banner

Article 27 – UK & EU Representative services

The UK entered a period of transition which ended on 31^st December, 2020, as the Brexit uncertainty ended with the passing of the withdrawal agreement bill.

Data controllers or processors are under the obligation to designate a representative in the Union, per GDPR Article 3(2). An unestablished controller or processor to the Union, but subject to the GDPR has to designate a representative in the Union, failing which, there shall be a breach in the regulation.

Who is a ‘representative’ and whom does it apply to?

A representative is someone who is a delegate of the organization they represent; one who can communicate with people, as well as data protection authorities on behalf of the organisation in relation to data protection matters. Organizations no longer mounted in the EU are required to designate a representative in an EU member state, if the organisation collects personal data of the people in the EU, per GDPR. Organisations with obvious intentions to provide services or goods to people in the EU also come under the purview of GDPR. Following Brexit, organisations in the UK will be subject to the equal requirements, as they will no longer be mounted in the EU.

In addition to this, organisations no longer based totally in the UK who are supplying goods or offering services to people in the UK or monitoring their behaviour are required to designate a representative from the UK, in order to comply with the new data protection laws following Brexit. This has been highlighted by the Information Commissioner’s Office (ICO), which has mentioned that ”the UK government intends that after UK leaves the EU, the UK GDPR will require organisations located outside of the UK, but which still have to comply with the UK GDPR, to appoint a UK representative”.

What does this mean in practice for organisations?

UK based organisations processing personal data require a representative that fulfils the obligations set out in Article 27 of the GDPR, in the EU.

Following the  Brexit transition period, this is what has changed:

• Organisations established outside the EU and the UK. Following Brexit, these organisations need an additional representative. If the organisation’s present day  EU representative is primarily based in the UK, however the organisation sells to or collects personal data of individuals in the EU, an additional EU representative is required to comply with the GDPR. If the organisation’s present-day representative is based in another EU member state, but the organisation sells to or monitors people in the UK, a UK representative is required to comply with UK law.

Alternatively, it may additionally show inexpensive to appoint an outsourced representative with businesses in each EU and the UK which can act on the organisation’s behalf in each cases.

• Organisations established in the UK: organisations established in the UK but which supply goods or offer services to, or monitor people in the EU need to designate a representative in an EU country following Brexit.

• Organisations established in other EU countries: In compliance with the UK law, organisations established in the EU but not in the UK, which offer goods or services to, or monitor, people in the UK need to designate a representative in the UK following Brexit.

What do you need to consider when designating an EU and/or a UK representative?

• Considering your present-day business operation, and its future, assess where you need a representative (the UK and/or EU)
  • Assess whether your organization foresees an expansion which may move to a new market. Will your organization need a representative in the UK and/or the EU?

• Asses your business and find the best possible option to minimise the cost of designating representative(s) (e.g. a representative designated in the jurisdiction itself).
  • While a UK representative is notable easy in terms of the representative’s location, non-EU businesses will want to determine cautiously when deciding where to designate their EU representative.
  • If an organisation processes data from people in multiple EU countries, the representative shall remain easily accessible to the people in all those countries and must be able to communicate with the people and supervisory authorities of these countries, in the language spoken by them.

An outsourced EU representative with a global presence will make it less difficult to have a representative without difficulty available to people and supervisory authorities in each of these countries, with the language capabilities required to speak with them.