Data Protection and EU Representatives

Have you considered whether you need an EU or UK Representative after the Brexit transition period?

With only a matter of weeks until the end of the EU exit transition period on December 31st 2020, there are many businesses that may be left ‘out in the cold’ with regards to Data Protection and complying with the EU GDPR.

The problem with a no deal exit, which is very likely given the history of the UK/EU Brexit negotiations and the decision not to extend the transition period is that the United Kingdom will become what’s known as a third country, in respect of the EU’s GDPR and the UK’s own Data Protection Act 2018.

If your business processes personally identifiable data on citizens in the EU and does not have a presence in an EU country, you will not be compliant with Article 27 of the GDPR and this could result in financial penalties and your business conducting illegal data processing activities.

An example of this would be an online retailer ‘Rings r Us’, based in Swindon who conduct their business selling bespoke jewellery to customers across the globe through their online shop, they also market their products to citizens in the EU. The company operates their entire business from one location in Swindon. As they deliver goods and services to citizens in the EU they are required to comply with the EU GDPR. However, one of the important differences from 1st January 2021 is, to continue operating in the European Union when you have no physical presence or establishment based within their territory is, you’ll be required to appoint an EU representative, to act on your company’s behalf. If you process data in multiple EU countries, your EU representative needs to be where your main data processing occurs.

A quick ‘self-assessment’ can be made as to whether this change will affect you:

  • Your organisation has no office / establishment or physical presence in any European member state
  • You process personally identifiable data on the citizens of the European Union offering good or services, e.g. through an online website or app / you use an EU domain (.es/ .fr /.de) or market your goods and services to EU citizens; or
  • You monitor the behaviour of those citizens by tracking website visitors from the EU through cookies, online identifiers, location etc. or offer personalised services specifically to monitor performance or trends (e.g Health & Fitness services)

The role of an EU representative is to:

  • Act as your EU clients point of contact to invoke a request against their individual rights, such as a Data Subject Access Request, the Right to be Forgotten etc. 
  • Cooperate with the relevant EU Supervisory Authority (e.g CNIL in France who are the equivalent of the UK’s Information Commissioner) on behalf of your company; and
  • Retain a record of your EU data processing activity as required under Article 30 of the GDPR

If this issue will impact your business, we can help through our network of partnerships in the EU. We can’t be appointed as your EU representative as we are solely UK based, however our partners do have an EU presence which will meet the compliance requirements of this subtle but important change, come 1st January 2021. 

That being said, the UK to EU relationship detailed above also applies the other way round! The UK government intends that after the transition period ends, the UK version of the GDPR will say that a controller or processor located outside the UK (but still comply with the UK GDPR) must appoint a UK representative. This is where we can help you!

Don’t allow the new year to chime in without checking whether your business will be compliant.