Article 27 – UK & EU Representative services
Article 27 – UK & EU Representative services
The UK entered a period of transition which ended on 31st December, 2020, as the Brexit uncertainty ended with the passing of the withdrawal agreement bill.
Data controllers or processors are under the obligation to designate a representative in the Union, per GDPR Article 3(2). An unestablished controller or processor to the Union, but subject to the GDPR has to designate a representative in the Union, failing which, there shall be a breach in the regulation.
Who is a ‘representative’ and whom does it apply to?
A representative is someone who is a delegate of the organization they represent; one who can communicate with people, as well as data protection authorities on behalf of the organisation in relation to data protection matters. Organizations no longer mounted in the EU are required to designate a representative in an EU member state, if the organisation collects personal data of the people in the EU, per GDPR. Organisations with obvious intentions to provide services or goods to people in the EU also come under the purview of GDPR. Following Brexit, organisations in the UK will be subject to the equal requirements, as they will no longer be mounted in the EU.
In addition to this, organisations no longer based totally in the UK who are supplying goods or offering services to people in the UK or monitoring their behaviour are required to designate a representative from the UK, in order to comply with the new data protection laws following Brexit. This has been highlighted by the Information Commissioner’s Office (ICO), which has mentioned that ”the UK government intends that after UK leaves the EU, the UK GDPR will require organisations located outside of the UK, but which still have to comply with the UK GDPR, to appoint a UK representative”.
What does this mean in practice for organisations?
UK based organisations processing personal data require a representative that fulfils the obligations set out in Article 27 of the GDPR, in the EU.
Following the Brexit transition period, this is what has changed:
- Organisations established outside the EU and the UK. Following Brexit, these organisations need an additional representative. If the organisation’s present day EU representative is primarily based in the UK, however the organisation sells to or collects personal data of individuals in the EU, an additional EU representative is required to comply with the GDPR. If the organisation’s present-day representative is based in another EU member state, but the organisation sells to or monitors people in the UK, a UK representative is required to comply with UK law.
Alternatively, it may additionally show inexpensive to appoint an outsourced representative with businesses in each EU and the UK which can act on the organisation’s behalf in each cases.
- Organisations established in the UK: organisations established in the UK but which supply goods or offer services to, or monitor people in the EU need to designate a representative in an EU country following Brexit.
- Organisations established in other EU countries: In compliance with the UK law, organisations established in the EU but not in the UK, which offer goods or services to, or monitor, people in the UK need to designate a representative in the UK following Brexit.
What do you need to consider when designating an EU and/or a UK representative?
- Considering your present-day business operation, and its future, assess where you need a representative (the UK and/or EU)
- Assess whether your organization foresees an expansion which may move to a new market. Will your organization need a representative in the UK and/or the EU?
- Asses your business and find the best possible option to minimise the cost of designating representative(s) (e.g. a representative designated in the jurisdiction itself).
- While a UK representative is notable easy in terms of the representative’s location, non-EU businesses will want to determine cautiously when deciding where to designate their EU representative.
- If an organisation processes data from people in multiple EU countries, the representative shall remain easily accessible to the people in all those countries and must be able to communicate with the people and supervisory authorities of these countries, in the language spoken by them.
An outsourced EU representative with a global presence will make it less difficult to have a representative without difficulty available to people and supervisory authorities in each of these countries, with the language capabilities required to speak with them.
SCCs – International Transfers
What is the new SCC? Organizations subject to the EU GDPR are subject to Article 45 EU-DSGVO (with the exception of Article 45 EU-DSGVO (that is, unless they provide an "appropriate guarantee" within the meaning of Article 46 EU-DSGVO (with the exception)....
GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR
GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR On May 25, 2018, the European Union introduced the General Data Protection Regulation (GDPR) to ensure maximum data protection privileges for people across the European Union....
Data in Sports
Data in sports Data analytics in sports was first popularized by the efforts of Billy Beane during his reign as General manager of the Oaklands Athletics baseball team (also portrayed in the commercial film Moneyball). However, it’s a common practice now for...
Ring video doorbell : GDPR and Privacy – what homeowners need to know
Ring video doorbell : GDPR and Privacy - what homeowners need to know A recent case in the Oxford County Court highlighted the perils for homeowners of operating a Ring product to protect their properties. Ring products, such as smart doorbells and security...
CHALLENGES AND RISKS INVOLVED WITH DATA RETENTION
The risks of over or under retention Organizations want to be conscious of the legal guidelines that pertain to their personal data processing. Personal data have to be kept lengthy adequate to comply with applicable legal responsibility. The minimum or maximum...
GDPR – Here’s What You Should Know Before Collecting Customer Personal Data
Data is everywhere and smart companies know how to use customer data to their advantage. If you regularly harvest customer data to understand consumer patterns and for remarketing purposes, you must know about the rules and regulations that protect customers from...