With the Brexit transitional period ending, the beginning of the year finally brought some clarity about the future of data flows between the EU and U.K. A legally dubious, as not explicitly permitted by the EU General Data Protection Regulation, interim agreement on transborder data flows has been part of the EU-U.K. Trade and Cooperation Agreement and grants a temporary respite for privacy professionals, as well as lawmakers to prepare an adequacy decision. However, the obligations to appoint representatives under Articles 27 of the EU and U.K. GDPR fully apply to cross-border processing between the European Economic Area and the U.K. have been in effect since Jan. 1, 2021.
Appointing a GDPR representative is a major compliance obligation introduced to facilitate effective enforcement of the GDPR's international outreach. But beyond being a nasty task to tick off from the long Brexit list, it can be a "compliance marketing" opportunity for non-EU businesses, as it showcases privacy commitment to the public.
Conversely, noncompliance is easily visible, as the representative must be mentioned in the company's privacy policy. Although an easy win for compliance, it did not receive appropriate attention from privacy professionals so far, which is why it is time to outline the most relevant aspects of the GDPR representative considering Brexit.
What's new for companies in 2021?
The obligation to appoint an EU GDPR representative affects many companies worldwide with high fines for noncompliance. In a nutshell, it applies to almost any company falling into the extraterritorial scope of the EU, which has no establishment in the EU. Conversely, as the U.K. GDPR basically copied and pasted the requirement into British law, companies located in the EU and elsewhere now need representation in the U.K.
Either way, businesses finding themselves in the scope of the EU/U.K. GDPR representative obligation should take immediate action, as no grace period has been announced by either authority. Fines for noncompliance are in the 10 million euro tier in the EU and the 8.7 million GBP tier in the U.K.
New UK GDPR representative requirement for both EU and non-EU companies
The scope of the new requirement to appoint a representative in the U.K. is linked to the extraterritorial scope of the U.K. GDPR according to its "destination principle" in Article 3(2), aiming at companies "with no offices, branches or other establishments in the U.K." but still active on the U.K. market. For an assessment of whether the company maintains an "establishment," Recital 22 of the EU GDPR (requiring "the effective and real exercise of activity through stable arrangements," irrespective of its legal form), as well as the Court of Justice of the European Union rulings on Weltimmo and Google Spain, may also be considered.
Although the EU GDPR recitals and the CJEU case law do not interpret the independent British law from a strictly legal perspective, they still offer valuable guidance as the U.K. GDPR holistically follows its EU model's regulatory concept.
A data controller without any establishment in the U.K. needs to check, first, if their data processing affects data subjects located in the U.K., irrespective of their citizenship. Second, they have to consider if one of the two triggers under the "destination principle" applies, which is the case if the data processing relates to either (1) the offering of goods or services, even if provided for free, to such data subjects in the U.K., or (2) the monitoring of their behavior as far as their behavior takes place within the U.K.
Since the U.K.'s Information Commissioner's Office has not yet issued independent guidance on the territorial scope of the U.K. GDPR, privacy professionals are advised to consult the related EDPB guidelines to check the business practices against the examples provided therein.
The exemption from the representative requirement under Article 27(2) will only apply to companies with unsystematic, non-sensitive personal data transfers between the EU and U.K. The European Data Protection Board assumes for the EU GDPR that it does not apply if, for example, transborder data flows occur as a part of the regular course of business. Also, the condition that the processing needs to be "unlikely to result in a risk to the rights and freedoms of natural persons" for the exemption to apply (one out of three that needs to be met simultaneously) narrows its scope strongly.
Data processors need to look into the data controller's business activities and their own involvement in the particular data processing, which may trigger the extraterritorial applicability of the GDPR. If, for example, a data controller uses an analytics cloud solution (data processor) to collect and analyze personal data within the extraterritorial scope of the U.K. GDPR, the processor needs to appoint its own U.K. representative.
The data controller must include the name and contact details of its representative into its privacy policies (Articles 13 and 14 of the U.K. GDPR), allowing data subjects to directly contact the representative. The GDPR includes no detailed requirements on the contact channels to be offered. According to the EDPB guidelines on transparency, the information "should preferably allow for different forms of communications with the data controller (e.g., phone number, email, postal address, etc.)."
UK companies: EU GDPR representative requirement
Since the U.K. became a third country Jan. 1, without any further transition period, a U.K. company with active business ties to one or more EU member states (and no office locations on the ground) may need to appoint an EU GDPR representative. This is the case if its business activities fulfill one of the criteria for the "destination principle" in Article 3(2), meaning the processing of personal data from data subjects located in the EU relates to either (1) the offering of goods or services, even if provided for free, to such data subjects in the EU, or (2) the monitoring of their behavior as far as their behavior takes place within the EU.
The details of the scope of the requirement equal the situation under British law for EU companies, so you should also consider the guidance in the previous chapter on the U.K. representative. Yet, one important characteristic of the EU law that should be considered in the context of enforcement — as the EDPB assumes that non-EU controllers cannot benefit from the "lead authority principle" — companies may need to deal with the various competent European data protection supervisory authorities, depending on where the affected data subjects are located.
Regarding data breach reporting under Article 33 of the GDPR, however, British, as well as other third countries, businesses without an establishment in the EU may submit breach notifications to the supervisory authority in the EU member state where the company's representative is established, as the EDPB suggests in its guidelines on personal data breach notifications, thereby establishing a de facto one-stop shop concerning breach notifications.
Companies based on other continents
Although there are no substantial changes in data protection regulation concepts through the split of the EU and U.K. GDPR legal regime, companies originating from countries other than the U.K. or EU may also be affected by Brexit when it comes to GDPR representation. In detail:
- Companies with U.K. offices but no EU offices may now need to appoint an EU representative (they had been exempt before).
- Companies with EU offices but no U.K. offices may need to appoint a U.K. representative.
- Companies with neither EU nor U.K. offices may need both an EU and a U.K. representative.
How to choose an EU or UK representative
Who can be a GDPR representative?
The representative can be any natural or legal person established in the EU or the U.K., respectively, such as law firms, private companies, individual residents, etcetera. The EDPB assumes that the role of a data protection officer, who needs to carry out their tasks in an independent manner, is incompatible with the role of a representative, who is generally bound to instructions by the data controller or processor. Aside from this potential conflict of interest, the EU and U.K. GDPR state no minimum professional qualifications for the representative.
For the EU representative, the GDPR requires they are established in one of the EU member states where data subjects are located. The EDPB further recommends, as a non-binding "good practice," to appoint a representative in the country where "a significant proportion" of the data subjects are.
What are the functions and tasks of the representative?
The representative is mandated in writing to be, additionally or alternatively, addressed on behalf of the data controller or processor on all issues around GDPR compliance. Its primary task is to facilitate contact between the represented entity and the enquirer. In practice, the representative will receive requests from individuals exercising their data subject rights and administrative notifications from supervisory authorities. Also, requirements from national data protection laws may apply.
The representative needs to maintain records of the processing activities of the company it represents (Article 30 of the GDPR). Since the representative usually has no direct insight into the company's business processes, practically speaking, the represented company needs to provide up-to-date copies of its records of processing activities to its representative. The EU and U.K. GDPR allow for direct orders of competent supervisory authority against the representative to provide the documentation.
Apart from this, the represented company itself always remains fully liable for complying both with requests from supervisory authorities and data subjects. Moreover, the EDPB has clarified that authorities may not directly enforce against the representative, particularly when it comes to administrative fines. Although Recital 80 states the representative "should be subject to enforcement proceedings in the event of noncompliance by the controller or processor," the wording of the GDPR itself does not allow for further liability of the representative.
So, who to appoint as an EU or a UK representative?
From an organizational point of view, the representative should fulfill its tasks in a reliable manner, as the receipt of inquiries both from data subjects and supervisory authorities may cause severe legal risks for the represented company. Therefore, even though it is possible to simply appoint a vendor or customer located in the EU, it may be advisable to look out for specialized organizations with legal expertise and experience in GDPR compliance. A good representative will ensure the timely provision of incoming inquiries and protect companies from legal risks by keeping an eye on deadlines and high-risk inquiries.
Photo by Rocco Dipoppa on Unsplash