How will Brexit impact GDPR?

This is even more relevant as the ICO further notifies that the UK government intends to incorporate the GDPR into the domestic legal system at the end of the transition period. We anticipate that there will not be much change to the practical aspects of Data Protection compliance, except the need for a European representative. You may remember that if you needed to use data from the EU, and were acting from outside the EU, a European representative was required (see Laven’s service EuroRep). This will become relevant to all UK companies, as by definition they will be a UK organisation without a permanent establishment in the European Economic Area (the “EEA”) as required under article 27 of the GDPR.

To determine whether your organisation requires a European representative, you should assess your company’s situation against two conditions set out in article 3(2) of the GDPR:

1)      if you do not have offices, branches or other establishments in the EEA

and

2) you are offering goods or services to individuals in the EEA or you are monitoring behaviour of individuals in the EEA,

If both conditions are met, you will need a European representative.

To satisfy condition 1 outlined above, the presence of a single employee or an agent may be sufficient to qualify as having a stable arrangement and this is set out in Recital 19 of Directive 95/46/EC (Directive of the European Parliament and Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data. The European Court of Justice frequently refers to this directive in its rulings.

The second condition of the test asks, in short, whether you target individuals in the European Union. Please note that the targeting criteria are not limited to citizens of the EU Member States or determined by any individuals’ legal status in a Member State. Recital 14 of the GDPR reaffirms that “the protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. To determine whether an individual is in the EU, both conditions must be met simultaneously: 1) the individual must be in the EU when 2) the goods and services are being offered (e.g. a MiFID investment firm marketing to prospects based in the EEA), or when one’s behaviour is being monitored.

There are a limited number of exemptions which are set out in article 27 of the GDPR.

Once an organisation establishes that they do not have a base in the EEA after the transition period ends, they will need to authorise, in writing, a European representative to act as a direct contact for the individuals and data protection Supervisory Authorities in the EEA. This is a good time to prepare for this with the transition period coming to an end at the start of January 2021.

Further for all our non-UK established clients, it must be noted that the UK government has also indicated that after the transition period, a controller or processor located outside the UK will need to appoint a UK representative.

To conclude, all clients and friends will need to think carefully about how to process data in the UK or the EU and sadly cover the burden of appointing a representative. Luckily we have an easy tech-driven and affordable solution so please get in touch with us to add your name to the waiting list should the UK government implement this as law, and if you feel you may need a UK or EU representative after Brexit. Laven will operate from the UK and Luxembourg to cover both.

Be ready for 2021 and act now. Laven can help you establish whether you require a representative and help provide you with one if appropriate. All clients on the waiting list will be eligible for a 15% first-year saving.

Get in contact today!