Appointing an EU Representative: Guidance for UK Businesses after Brexit

With the United Kingdom’s departure from the European Union fast approaching, companies headquartered in the UK will have to ensure their data practices are ready for the switch on 31 Dec 2020. After this date, companies headquartered in the UK shall be deemed to be outside of the European Economic Area (EEA), and will therefore need to appoint an EU Representative if they wish to continue processing personal data relating to data subjects from the EEA. 

The General Data Protection Regulation (EU) (2016/679) (GDPR) is a reference point for data protection laws across the globe; not only because of the gold standard of protection it accords EU citizens, but also because the regulation has extra-territorial reach. As such, the GDPR applies to all entities and individuals that process the personal data of data subjects of the EEA, regardless of where such processing takes place or where such entities are based. This will include all companies in the UK who will continue to provide goods and services to EEA data subjects and/or monitor the behaviour of data subjects from the EEA. 

Article 27 of the GDPR specifies that such non-EEA based companies must appoint an EU representative (sometimes also referred to as a data representative) when processing EEA personal data. 

Who needs to appoint an EU representative? 

Companies that are based in the UK could be required to appoint an EU representative following Brexit if: 

  • they act as either a controller or a processor (as defined under the GDPR); 

  • they have no offices, branches or other establishment in the EEA; and 

  • they are offering goods or services to individuals within the EEA; or monitoring the behaviour of individuals in the EEA. 

However, the nature of the processing also needs to be taken into account. Article 27(2) states that the obligation to nominate an EU representative does not apply to: 

Processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or a public authority or body. 

A decision not to appoint an EU representative must be made with caution. Given the high stakes of non-compliance - hefty financial sanctions and reputational risk – such a decision should only be made after seeking professional advice in order to evidence your compliance in line with the accountability principle of the GDPR. Such documentation will also be important if you are challenged on your decision to not appoint an EU representative or if you are under investigation by a supervisory authority.  

What is an EU representative and what are their obligations? 

Once you have established whether you will be required to appoint an EU representative, the next thing to look at is the requirements of an EU representative. An EU representative is a company or natural person based in the EEA, who will act as a point of contact for non-EEA based controllers or processors. 

This EU representative will act on behalf of the non-EEA based controller or processor to facilitate the exercise of data subjects’ rights within the EEA. This is because it is easier for EEA based data subjects to communicate and work with an EEA based entity. This could include responding to data subjects in their mother tongue (to the extent that this is possible), responding to data subject access requests, deletion requests, etc. Therefore, your EU representative must be capable of fulfilling such obligations within the EEA. 

The EU representative must also cooperate with the competent supervisory authorities in respect of any action, investigation or claim under the GDPR. In practice, this means that a supervisory authority, such as the Commission nationale de l'informatique et des libertés (CNIL) in France or the Datainspektionen in Sweden, would contact the EU representative in connection with any matter relating to the compliance obligations of a non-EEA based controller or processor. 

Do EEA or other non-UK companies without an establishment in the UK need to appoint a UK representative?

Guidance from the ICO states that:

The UK government intends that after the transition period ends, the UK version of the GDPR will say that a controller or processor located outside the UK – but which must still comply with the UK GDPR – must appoint a UK representative. 

To our knowledge, this is not yet binding but we will update you as soon as we hear more on this.

Where does our EU representative have to be based? 

Your appointed representative will need to be set up in an EU or EEA member state where some of the individuals whose personal data you are processing are located. Usually, your appointment should be in the territory where you have the largest number of data subjects. The aim of the representative is to be a local point of contact for data subjects and supervisory authorities, and to be able to respond to queries in the local language. Therefore, if you are a UK-based e-tailer who has a significant and recurring revenue stream coming from Germany, it would make sense to have your EU representative based in this country or be able to conduct affairs in German. 

The EU representative must also facilitate any informational or procedural exchange between a requesting supervisory authority and the non-EEA based controller or processor; and must hold a copy of the non-EEA based controller or processor’s processing register in order to supply this to a competent supervisory authority, if and where required. 

The nature of these obligations has meant that lawyers, legal professionals and data specialists have emerged as being best placed for the role, and due to their existing expertise in data protection laws, are best placed to respond to any data subject requests and queries from supervisory authorities. This is particularly pertinent when looking at Recital 80 of the GDPR, which states that such EU representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor. 

So, whilst the EU representative will only ever be liable for their own breaches of their representative duties, they will still have the risk of enforcement proceedings being carried out against them as your representative. In this scenario, they will act as a facilitator of contact and act on your instructions. Notably, this does not affect the responsibility or liability of the non-EEA based controller or processor. 

How to appoint an EU representative? 

Non-EEA based controllers or processors will need to authorise their EU representative, in writing, to act on their behalf in relation to their GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect. This is usually done by way of a Service Agreement. It is recommended that a single individual be assigned as a lead contact and person in charge, in order to control such compliance in a practical way that allows for clear communication and accountability. 

Do we have to notify the relevant supervisory authority of the appointment of an EU representative? 

The general rule under the GDPR is that once appointed, such EU representative does not need to be notified to a relevant supervisory authority. However, some authorities have implemented their own local requirements. Therefore, it is best to review this on a case-by-case basis, either through advice from your nominated representative or professional. If you are required to notify your local supervisory authority, you will need to provide the name and contact details of your EU representative – which can be done by publishing these details on your website. 

Do we have to notify data subjects of the appointment of an EU representative? 

Under the principle of transparency, non-EEA based controllers and processors are required to inform the EEA-based individuals whose personal data they are processing of the appointment of their EU representative. This notification can be done by adding the name and contact details of your EU representative in your privacy policy/notice, or in any information you give to the individuals when collecting their personal data.

What about Data Protection Officers? Can these two roles be carried out by the same individual? 

An EU representative should not be confused with a Data Protection Officer (DPO). A DPO’s function is not to represent a controller or processor, but rather to have an active and advisory role to assist a controller or processor monitor their internal compliance, inform and advise on data protection obligations and provide advice regarding Data Protection Impact Assessments. The two roles do overlap, as a DPO can also act as a point of contact for data subjects and supervisory authorities. However, a DPO can go one step further and respond substantively on any issues raised. In comparison, an EU representative only acts to facilitate liaison and enforcement between supervisory authorities, data subjects and non-EEA controllers and processors. 

As such, guidance from the European Data Protection Board states that the role of an EU representative and that of a DPO cannot be combined. This is because the GDPR has guarantees whereby the DPO needs to be able act independently and with autonomy when carrying out its/their functions. 

Companies are required to ensure that DPOs do not receive any instructions regarding the exercise of their tasks, which is not compatible with the function of an EU Representative who is mandated to carry out its tasks on the basis of precise instructions given by the non-EEA based controller or processor. The main risk is the issue of conflicts of interests – for example, an external DPO, if also acting as an EU representative, would not be able to communicate a measure taken by the controller or processor to a data subject, which they, with their DPO-hat on, had advised against or considered non-GDPR compliant. 

Next steps

If you believe that your company is in need of appointing an EU representative, you should do so without delay and ensure you seek appropriate advice on how to appoint, and also if you decide not to appoint, do get advice on how to make that decision and how to document it.

  • Ensuring your company is ready for Brexit: 

In addition to appointing an EU representative, there are several other elements you should consider in order to ensure your data practices are secured after Brexit on 31 December 2020. This includes: 

If you have any questions about your Brexit requirements, how or whether you need to appoint an EU representative or would like any advice on how privacy law apply to your business, please don’t hesitate to get in touch!

Article by Komal Shemar @ Gerrish Legal, December 2020

Previous
Previous

GDPR: 6 Tips to Brexit-proof your data practices

Next
Next

New Draft SCCs for International Data Transfers