What Is a UK Representative and Why Do You Need One?
Natacha has held various senior positions at the Foreign Office, including as Deputy Ambassador for China and UK Representative Director for Economic Diplomacy and Emerging Powers. She has also worked in global trade policy and international issues.
Businesses established outside of the UK must adhere to UK privacy laws. They must designate a representative in the UK to act as their point of contact for data subjects and the ICO.
What is a UK Representative?
The UK Representative is a person, business or organisation that has been mandated by the controller or data processor to act on their behalf in all matters related to GDPR compliance. They will be the primary contact point for any requests from data subjects who exercise their rights or requests from supervisory authorities. They may also be subject to national laws that have been put in place because of the GDPR’s extraterritorial reach (see the UK case Rondon against LexisNexis Risk Solutions).
The appointment of Representatives is required under Article 27 of the EU GDPR, as well as the UK equivalent Section 3(2) of the Data Protection Act 2018. The requirement applies to any organization that does not have its own place of business within the United Kingdom and that offers products or services to or monitors the behaviour of individuals residing in the United Kingdom, or that manages personal data of those individuals. The representative must be able to authentic proof of their identity, and that they can represent the data processor or controller in connection with UK GDPR requirements.
In addition to acting as a means for individuals to exercise their GDPR rights as well as a means for individuals to exercise their rights under GDPR, the representative must also capable of communicating with authorities in the event of an incident. The representative must inform the supervisory authority that appointed them, regardless of whether or not the breach affects individuals in multiple jurisdictions.
It is recommended that your Representative has experience working with both European and UK-based data protection authorities. It is also recommended for them to speak a local language since they are likely to receive calls from individuals and data protection agencies in the countries they operate.
While the EDPB states that the Representative will be held liable in the event of non-compliance the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has confirmed that become a avon representative Representative cannot be sued by an individual for the data controller’s inability to comply with the UK GDPR. This is because, according to the court the avon cosmetics representative has no direct connection to the processing of data by the representative entity.
Who is required to appoint the UK Representative?
To comply with the EU GDPR, businesses that are not part of the EU who are aiming their goods or services towards European citizens but do not have an office, branch, or establishment within the EU must designate an EU Representative. This is in addition to the requirements from national laws regarding data protection. The purpose of a Representative is to be a local point of contact for supervisory authorities and individuals with respect to GDPR compliance issues.
The UK has its own equivalent to the EU requirements, as laid in Article 27 of the UK-GDPR. The threshold is the same as the EU requirement: any company that offers goods or services in the UK or monitoring the behaviour of individuals who are data subjects, must designate an UK representative.
Under the UK-GDPR, a Representative must be formally authorized “to be addressed, in addition or alternatively addressed, on behalf of the controller or processor by data subjects and the British Information Commissioner’s Officethe [British Information Commissioner’s Office]”. They cannot be held personally responsible for GDPR compliance. They must however cooperate with supervisory authorities during official proceedings, and receive notifications from individuals who exercise their rights. ).
Representatives should be located in the member state of the European Union in which the individuals whose personal data is processed reside. In most cases this is not an easy choice to make, and a careful analysis of the legal and business context is required to assess the location(s) best suited to an organization. This is why we provide an individualized service that assists companies in assessing their requirements and selecting the best representative option.
It is also advisable that the representative has experience interacting with both supervisory authorities and handling data subject requests. Local language skills are also often of importance as the job will be involving dealing with requests from supervisory authorities or data subjects across Europe.
The identity of the representative should be disclosed to the data subjects by including their information in privacy policies and UK Representative the information provided to individuals before collecting their personal data (see Article 13 UK-GDPR). The UK Representative’s contact details should also be published on your website, allowing an easy way for supervisory authorities to contact them.
When do you have to designate a UK Representative?
If your organisation is located outside of the UK and offers products or services in the UK or monitors the behavior of individuals, you might be required to appoint a UK Representative. The UK’s Applied EU GDPR regime is available to established entities outside the UK that are performing activities in the UK. It has the same extraterritorial scope as EU GDPR, with limited exceptions. Take our free self-assessment and check if you’re legally bound by this obligation.
A Representative is mandated by the entity that appointed them under an agreement to represent the entity in relation to a number of its obligations under UK and EU GDPR if applicable. In the UK, the main purpose of this would be to facilitate communication between the party that appointed and the Information Commissioner’s Office (ICO) or any affected data subjects in the UK. A Representative could be an individual or a company which is based in the UK. The body that appointed them must inform the data subjects that the representative will be processing their personal data and that the identity of the individual or business is readily accessible to supervisory authorities.
According to Articles 13 and 14 of the UK GDPR the entity that is appointed as the representative is also required to provide the contact information of its representative to the ICO as well as the data subjects in the UK. It is imperative to make clear that the role of a representative is distinct from the one of the role of a Data Protection Officer (DPO), which requires a degree of autonomy and independence that is that is not achievable for representatives.
If you need to designate a UK representative and you are required to do so, you must do it as soon as possible. This is because the obligation is either immediately following Brexit (if it’s an “hard” or “no deal” Brexit) or following an implementation period (if it’s a “soft” or “with deal”. There is no grace time.
What are the requirements for the designation of a UK Representative?
Under the UK law on data protection (and specifically article 27 of the UK GDPR) Representatives are an individual or a company that is “designated in writing” by an entity that lacks a presence in the UK but is subject to the provisions of the law. The UK representative has to be competent to represent the company in compliance with its obligations under the law and their contact details must be readily accessible to anyone who reside in the UK who have personal information being processed by the non-UK business.
The individual who is the UK Representative must be a senior member of the media or business organisation and have been recruited and appointed as an employee outside the UK by the media or business organisation. The visa applicant must plan to serve as the UK representative for the business or media organisation full-time and not engage in any other business activities within the UK.
The visa applicant also needs to prove they have the knowledge and experience necessary to fulfill their role as UK representative, which entails serving as the local point of contact for the data subjects and UK data protection authorities. The UK Representative must have the knowledge and understanding of UK data protection laws to be competent to respond to queries or requests from data protection authorities and individuals exercising their rights.
As the Brexit process continues it is expected that the UK laws regarding data protection will change over time. However, at the moment it is expected that non-UK businesses that conduct business in the UK and handle personal data of individuals in the UK will be required to appoint a UK representative.
It is because article 27 of the UK’s GDPR that was adopted as an UK national law, requires companies without any presence in the UK to nominate a UK representative for data protection. If you’re not sure if you’re required to have a UK representative for data protection, it’s recommended that you consult a qualified legal professional.