News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | GDPR representatives in EU and UK after Brexit Related reading: Draft UK adequacy decisions — A somewhat lukewarm embrace?

rss_feed

""

With the Brexit transitional period ending, the beginning of the year finally brought some clarity about the future of data flows between the EU and U.K. A legally dubious, as not explicitly permitted by the EU General Data Protection Regulation, interim agreement on transborder data flows has been part of the EU-U.K. Trade and Cooperation Agreement and grants a temporary respite for privacy professionals, as well as lawmakers to prepare an adequacy decision. However, the obligations to appoint representatives under Articles 27 of the EU and U.K. GDPR fully apply to cross-border processing between the European Economic Area and the U.K. have been in effect since Jan. 1, 2021.

Appointing a GDPR representative is a major compliance obligation introduced to facilitate effective enforcement of the GDPR's international outreach. But beyond being a nasty task to tick off from the long Brexit list, it can be a "compliance marketing" opportunity for non-EU businesses, as it showcases privacy commitment to the public. 

Conversely, noncompliance is easily visible, as the representative must be mentioned in the company's privacy policy. Although an easy win for compliance, it did not receive appropriate attention from privacy professionals so far, which is why it is time to outline the most relevant aspects of the GDPR representative considering Brexit.

What's new for companies in 2021?

The obligation to appoint an EU GDPR representative affects many companies worldwide with high fines for noncompliance. In a nutshell, it applies to almost any company falling into the extraterritorial scope of the EU, which has no establishment in the EU. Conversely, as the U.K. GDPR basically copied and pasted the requirement into British law, companies located in the EU and elsewhere now need representation in the U.K.

Either way, businesses finding themselves in the scope of the EU/U.K. GDPR representative obligation should take immediate action, as no grace period has been announced by either authority. Fines for noncompliance are in the 10 million euro tier in the EU and the 8.7 million GBP tier in the U.K.

New UK GDPR representative requirement for both EU and non-EU companies

The scope of the new requirement to appoint a representative in the U.K. is linked to the extraterritorial scope of the U.K. GDPR according to its "destination principle" in Article 3(2), aiming at companies "with no offices, branches or other establishments in the U.K." but still active on the U.K. market. For an assessment of whether the company maintains an "establishment," Recital 22 of the EU GDPR (requiring "the effective and real exercise of activity through stable arrangements," irrespective of its legal form), as well as the Court of Justice of the European Union rulings on Weltimmo and Google Spain, may also be considered. 

Although the EU GDPR recitals and the CJEU case law do not interpret the independent British law from a strictly legal perspective, they still offer valuable guidance as the U.K. GDPR holistically follows its EU model's regulatory concept.

A data controller without any establishment in the U.K. needs to check, first, if their data processing affects data subjects located in the U.K., irrespective of their citizenship. Second, they have to consider if one of the two triggers under the "destination principle" applies, which is the case if the data processing relates to either (1) the offering of goods or services, even if provided for free, to such data subjects in the U.K., or (2) the monitoring of their behavior as far as their behavior takes place within the U.K. 

Since the U.K.'s Information Commissioner's Office has not yet issued independent guidance on the territorial scope of the U.K. GDPR, privacy professionals are advised to consult the related EDPB guidelines to check the business practices against the examples provided therein.

The exemption from the representative requirement under Article 27(2) will only apply to companies with unsystematic, non-sensitive personal data transfers between the EU and U.K. The European Data Protection Board assumes for the EU GDPR that it does not apply if, for example, transborder data flows occur as a part of the regular course of business. Also, the condition that the processing needs to be "unlikely to result in a risk to the rights and freedoms of natural persons" for the exemption to apply (one out of three that needs to be met simultaneously) narrows its scope strongly.

Data processors need to look into the data controller's business activities and their own involvement in the particular data processing, which may trigger the extraterritorial applicability of the GDPR. If, for example, a data controller uses an analytics cloud solution (data processor) to collect and analyze personal data within the extraterritorial scope of the U.K. GDPR, the processor needs to appoint its own U.K. representative.

The data controller must include the name and contact details of its representative into its privacy policies (Articles 13 and 14 of the U.K. GDPR), allowing data subjects to directly contact the representative. The GDPR includes no detailed requirements on the contact channels to be offered. According to the EDPB guidelines on transparency, the information "should preferably allow for different forms of communications with the data controller (e.g., phone number, email, postal address, etc.)."

UK companies: EU GDPR representative requirement

Since the U.K. became a third country Jan. 1, without any further transition period, a U.K. company with active business ties to one or more EU member states (and no office locations on the ground) may need to appoint an EU GDPR representative. This is the case if its business activities fulfill one of the criteria for the "destination principle" in Article 3(2), meaning the processing of personal data from data subjects located in the EU relates to either (1) the offering of goods or services, even if provided for free, to such data subjects in the EU, or (2) the monitoring of their behavior as far as their behavior takes place within the EU.

The details of the scope of the requirement equal the situation under British law for EU companies, so you should also consider the guidance in the previous chapter on the U.K. representative. Yet, one important characteristic of the EU law that should be considered in the context of enforcement — as the EDPB assumes that non-EU controllers cannot benefit from the "lead authority principle" — companies may need to deal with the various competent European data protection supervisory authorities, depending on where the affected data subjects are located.

Regarding data breach reporting under Article 33 of the GDPR, however, British, as well as other third countries, businesses without an establishment in the EU may submit breach notifications to the supervisory authority in the EU member state where the company's representative is established, as the EDPB suggests in its guidelines on personal data breach notifications, thereby establishing a de facto one-stop shop concerning breach notifications.

Companies based on other continents

Although there are no substantial changes in data protection regulation concepts through the split of the EU and U.K. GDPR legal regime, companies originating from countries other than the U.K. or EU may also be affected by Brexit when it comes to GDPR representation. In detail:

  • Companies with U.K. offices but no EU offices may now need to appoint an EU representative (they had been exempt before).
  • Companies with EU offices but no U.K. offices may need to appoint a U.K. representative.
  • Companies with neither EU nor U.K. offices may need both an EU and a U.K. representative.

How to choose an EU or UK representative

Who can be a GDPR representative?

The representative can be any natural or legal person established in the EU or the U.K., respectively, such as law firms, private companies, individual residents, etcetera. The EDPB assumes that the role of a data protection officer, who needs to carry out their tasks in an independent manner, is incompatible with the role of a representative, who is generally bound to instructions by the data controller or processor. Aside from this potential conflict of interest, the EU and U.K. GDPR state no minimum professional qualifications for the representative.

For the EU representative, the GDPR requires they are established in one of the EU member states where data subjects are located. The EDPB further recommends, as a non-binding "good practice," to appoint a representative in the country where "a significant proportion" of the data subjects are.

What are the functions and tasks of the representative?

The representative is mandated in writing to be, additionally or alternatively, addressed on behalf of the data controller or processor on all issues around GDPR compliance. Its primary task is to facilitate contact between the represented entity and the enquirer. In practice, the representative will receive requests from individuals exercising their data subject rights and administrative notifications from supervisory authorities. Also, requirements from national data protection laws may apply.

The representative needs to maintain records of the processing activities of the company it represents (Article 30 of the GDPR). Since the representative usually has no direct insight into the company's business processes, practically speaking, the represented company needs to provide up-to-date copies of its records of processing activities to its representative. The EU and U.K. GDPR allow for direct orders of competent supervisory authority against the representative to provide the documentation.

Apart from this, the represented company itself always remains fully liable for complying both with requests from supervisory authorities and data subjects. Moreover, the EDPB has clarified that authorities may not directly enforce against the representative, particularly when it comes to administrative fines. Although Recital 80 states the representative "should be subject to enforcement proceedings in the event of noncompliance by the controller or processor," the wording of the GDPR itself does not allow for further liability of the representative.

So, who to appoint as an EU or a UK representative?

From an organizational point of view, the representative should fulfill its tasks in a reliable manner, as the receipt of inquiries both from data subjects and supervisory authorities may cause severe legal risks for the represented company. Therefore, even though it is possible to simply appoint a vendor or customer located in the EU, it may be advisable to look out for specialized organizations with legal expertise and experience in GDPR compliance. A good representative will ensure the timely provision of incoming inquiries and protect companies from legal risks by keeping an eye on deadlines and high-risk inquiries.

Photo by Rocco Dipoppa on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Paul Voigt, CIPP/E IAPP Member Contributor
Tags
Europe
Big Data
Privacy Law
Privacy Operations Management
Transborder Data Flow
1 Comment

If you want to comment on this post, you need to login.

  • comment Matthew Clayton • Mar 9, 2021 
    <p>Thank you - this is a really important topic to bring to the attention of organisations now the transition period is over. We come across many organisations closely following developments around the EU/UK adequacy decision and interim 'bridge' arrangements, who may be exposing themselves to a significant fine if they're relying on the common belief that there is no change in data privacy compliance just yet. </p>
Related Stories
‘Privacy Implications of Brexit’
Under a trade deal between Britain and the European Union data can continue to flow between the EU and U.K., a bridging mechanism scheduled to only be in place for the next six months. European Commission Head of International Data Flows and Protection Bruno Gencarelli and the Department for Digital...
Read More queue Save This
UK, EU reach interim data flow agreement
1
After years of wrangling and with the clock ticking louder by the day, British and European negotiators provided a temporary grace period for data flows to continue between the EU and U.K. In the Trade and Cooperation Agreement signed between the EU and U.K. Dec. 24, 2020, data transfers for busines...
Read More queue Save This
Related Stories
Tags
Europe
Big Data
Privacy Law
Privacy Operations Management
Transborder Data Flow
Recent Comments