EU and UK Representatives: Compliance with GDPR post-Brexit

The General Data Protection Regulation (“GDPR”) came into effect on 25 May 2018 and brought a whole range of new requirements for firms that hold data on EU subjects. By now we are surely all aware of the large potential fines imposed by the GDPR (whichever is greater of EUR 20 million or 4% turnover); however, the GDPR also extended the territorial scope beyond the EEA and can therefore be enforced on firms outside of Europe.

In the last year or so, we have witnessed a rise in the number of cases brought against controller and processors of personal data of EU subjects which are based outside of the EU. Data controllers/processors from outside the EU are subject to the GDPR due to the processing (inter alia possession and accessing) of the data of EU subjects and are under the obligation to designate a representative in the Union (as per Article 27 GDPR) (the “EU Representative”). The role of the EU Representative is to facilitate an easy line of communication between the data subject or the regulator for the relevant EU member state and the company based outside the EU. Difficulties the EU Representatives look to quell include language barriers and geographic time factors to speed up the process of liaison between regulators and holders of EU subjects’ data.

Role of an EU Representative

The EU Representative acts on behalf of a data controller or processor. While not directly responsible for data processor/controllers’ compliance with the GDPR, they are required to facilitate any conversations between them and the data subject or regulator. These requirements may include:

• Facilitating the data processor/controllers’ responses in relation to data subject requests (such as the right to access, the right to erasure or the right to data portability). It is worth reminding that it is the EU Representative who brings any contraventions of the regulation to the regulator and they are the second line of enforcement, just after the self-regulation by processors and controllers.
• The EU Representative performs tasks according to the mandate received from the controller or processor, including cooperating with competent supervisory authorities about any activity taken to ensure compliance with GDPR.
• They may be required to help to facilitate with translation, as communication should be in the language or languages used by the supervisory authority or the data subject.
• The EU Representative should be readily available to answer any queries from the data subjects or supervisory authorities to ensure they can contact the data controller/processor’s supervisor whenever necessary.

Importantly, the EU Representative will not be held primarily liable for the controller or processor’s breaches of GDPR but the supervisory authorities might enforce ‘corrective measures or admin fines or penalties’ if the EU Representative is found liable of not performing their tasks adequately. So in this regard, the EU Representative remains liable under GDPR for its own failures.

What is a UK Representative?

The UK left the EU at the start of 2020 and the transition period just came to an end. With this in mind, if you were relying on an EU Representative based in the UK to make sure you were covered under Art. 27 GDPR, this is no longer a viable option. The UK implemented the EU GDPR into its local law which is now called UK GDPR and as such, if your business is located outside the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the UK or monitoring the behaviour of individuals within the UK, then you need to consider appointing a UK representative. For more information on this, visit the ICO’s Page on UK Representatives or contact Laven.

For this article, where we refer to “EU Representatives” please bear in mind you may require an equivalent “UK Representative” to lawfully hold data of subjects both on the continent and in the UK.

How to choose an EU or UK Representative?

The EU and its advisory body, the European Data Protection Board (‘EDPB’), has released guidance on the role an EU Representative should take and what controllers/processors in the scope of Art. 27 GDPR should look for when choosing a Representative:

• Representatives should be a natural or a legal person established in a member state of the EU.
• They should have the capacity to support the data controller/processor whom they’ve entered into an agreement with to respond to any data subject or supervisory authority requests in a timely and efficient manner.
• The same firm cannot be an outsourced Data Protection Officer (‘DPO’) and an EU Representative as there is the potential for conflicts of interest.
• Similarly to the above, the same firm cannot be an EU Representative and act as a data processor for one firm. It is anticipated that this will also cover agreements between processors and sub-processors.
• Representatives are the points of contact for privacy matters relating to your customers and data protection authorities in the EEA. For this reason, it’s important to choose a Representative who has clear and timely lines of communication, so as not to inconvenience the regulator or your customers.
• One  Representative is required per firm that is based outside the EU but holds data on EU subjects.
• If you hold a large amount of information on a certain jurisdiction, the EDPB recommends choosing an EU Representative there. This should negate any cultural or language barriers that may delay the process. However, considering how fluid businesses are in current days with their territorial reach, clarity of the process and accessibility of the Representatives should play the main role, as it is not practical to change the Representative each time a business changes the location of its target audience.

Are there any exemptions?

There are a few exemptions for obtaining the Representatives. You do not require an EU Representative if:

• Your data processing is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
• you are a public authority or body.

If you think you may fall under one of these categories but are unsure, please contact Laven’s GDPR specialists who will be able to assess the data you hold and confirm.

Role of the Data Subject/Processor

Although the EU Representative takes away the need to have substance in the EU to hold EU subjects’ data, data controllers/processors still have to comply with the requirements of the GDPR. Concerning their relationship with the EU Representative, data controllers/processors are also required to:

• maintain the GDPR accountability framework [IS1] (i.e. ability to demonstrate compliance with the GDPR principles) which includes: policies, privacy-by-design framework, processor contracts, a record of processing activities, a log of data breaches and risk assessments;  
• remain responsible for its data and update the records whenever necessary; and
• update its Representatives with all accurate and updated information so that the record can also be kept and made available by the Representative at all times.

Click here to read the EDPB’s “Guidelines on the Territorial Scope of the GDPR”

EU Representatives and Laven

Although the guidance on EU Representatives published by the EDPB has helped shed some light on the requirements for non-EU firms who hold EU subject data, there is still a level of uncertainty and there is far from a universal assessment; each case has to be viewed on its own.

In the first instance, Laven’s team of GDPR experts can help you assess the necessity for a European or UK Representative for your business. We can then offer you either of the services through our group companies.