EU representation – what UK businesses need to know
The EU, Brexit, GDPR... and you
EU representation isn’t a new thing – it’s a core component of the GDPR – but it has become something that UK companies need to be aware of post Brexit. Up until 31st December 2020, UK companies didn’t need to worry about having an EU representative, as the UK was a part of the EU. Now things have changed, and many UK businesses need to find an EU data representative in order to maintain compliance with EU GDPR.
What is an EU representative?
The purpose of an EU representative is to be a point of contact for both the data subjects based in the EEA and the Supervisory Authorities in the EEA. Effectively, an EU representative must be able to represent a company regarding its obligations under the EU GDPR. They can be an individual or a company (e.g. law firm, consultancy or other private company), and will have to be mentioned on privacy notices so that people based in the EEA know who to contact if they wish to exercise their rights under the GDPR. Equally, they will also hold and maintain any records of processing for a company and make these available to the Supervisory Authorities as required.
When do I need an EU representative?
You need an EU representative if your business:
- Offers goods and services to the EU
- Monitors people in the EU
- Doesn’t have an office, branch (or other establishment) in the EU
There are some exceptions to be aware of here, so you don’t need an EU representative if
- You’re a public authority
Or
- The processing is only:
- Occasional
- Of low risk to the data protection rights of individuals
- Doesn’t involve the large-scale use of special category data
- Doesn’t involve the large-scale use of or criminal offence data
The more formal wording used as used in the GDPR itself can be viewed here.
Want to find out more about GDPR?
Bulletproof has helpful free resources for organisations looking to find out more about GDPR. Why not download our educational GDPR white paper, watch our insightful webinar featuring our Head of Compliance, or view our interesting infographics?
What about a UK representative?
As the saying goes, what’s good for the goose is good for the gander. And sure enough, following Brexit, there’s now the need for companies based outside of the UK to have a UK representative to maintain compliance with UK GDPR. The rules and exclusions are the same as mentioned above:
Non-UK businesses need a UK representative if your business:
- Offers goods and services to the UK
- Monitors people in the UK
- Doesn’t have an office, branch (or other establishment) in the UK
As with before, the exclusions are essentially the same, so a UK representative isn’t needed if either:
- You’re a public authority
Or
- The processing is only:
Occasional
- Of low risk to the data protection rights of individuals
- Doesn’t involve the large-scale use of special category data
- Doesn’t involve the large-scale use of or criminal offence data
Where should an EU representative be based?
The ICO states that the EU representative should be based in a country where (some of) your data subjects are located. Obviously, if you process personal data of data subjects located across the EU, you will need to decide as to the best place to locate your EU representative, taking into consideration the volume of data subjects you have in each country, the need to be able to communicate with the data subjects and Supervisory Authorities in their language, and where the representative can most effectively fulfil their role. However, if you’ve only got customers in, say, Spain, you should locate your representative in Spain.
What do you need to do to appoint an EU representative?
Once you’ve determined the best location for your EU representative, you need to appoint an EU representative officially by confirming the appointment in writing. Make sure you keep the ‘EU Data Representative Appointment Letter’ on file. You’ll also need to have a contract in place to ensure their role is clearly defined, reporting lines are in-place, and so on. Note that having a representative does not affect your own liability or responsibilities under the EU GDPR.
Once you have appointed a representative, you need to make sure you update your privacy notices to provide their contact details so that data subjects and the Supervisory Authorities are able to contact them – this is in addition to any other contacts you have on your privacy notice e.g. your UK contacts.
Can my DPO be my EU representative?
Simply put: no.
Whilst this might seem like a handy shortcut at first, the European Data Protection Board issued guidance back in November 2018 saying that there was a clear conflict of interest if the Data Protection Officer (DPO) was also the EU representative. Plus, DPOs often have their hands full dealing with data subject access requests and reporting breaches, amongst much else. On the subject of data breaches, find out what Bulletproof DPOs thought of the biggest data breaches of 2020 and what lessons businesses could learn.
In Summary
In this blog we learnt:
Barring a few exceptions, representation is a necessary part of GDPR compliance
It applies to companies who aren’t based in the EU but want to continue business operations there
Your EU representative must be in a location where your data subjects are
You must include the representative’s contact details in your privacy notices
The same goes for non-UK businesses operating in the UK
Your DPO can’t also be your EU/UK representative
Get help with your data protection obligations
Bulletproof’s experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packages.
Learn moreRelated resources
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.