The Data Protector: appointing an EU GDPR representative
Brexit day may now be in the back of our minds, but the legal changes that it has brought have been a minefield for UK businesses to navigate.
Many will remember when the EU General Data Protection Regulations (EU GDPR) originally came into play back in 2018, when the UK was still one of the 28. Whilst the EU GDPR may have caused mass-panic amongst small business and corporations alike, the concept of data transfers between EU member states remained relatively straight-forward; and enabled the EU GDPR to be enforceable between them.
Since leaving the EU, the UK became a third-party country in respect of data protection, bringing new requirements to UK businesses who offer goods or services to those who live in the EU or European Economic Area (EEA) or where they monitor their behaviour (known as establishments that fall under Article 3(2) EU GDPR).
A new requirement is that such businesses must designate in writing a representative (be that an individual or company) in an EU member state or country in the EEA unless their processing:
- is occasional;
- does not include processing of special categories of data or criminal conviction/offences data on a large scale; and
- is unlikely to result in a risk to the rights and freedoms of natural persons (when determining this, the nature, context, scope and purposes of processing will be taken into account); or
- is carried out by a public authority or body.
An example of a UK company requiring a representative is one which does not have an establishment within the EU or EEA that sells products online to consumers within the EU or EEA. They will need to comply because personal data is regularly collected in relation to the sale of goods.
The newly appointed representative should be included in the privacy notice of the controller (Articles 13 and 14 EU GDPR). It must also be noted that it must be clear to a supervisory authority on the identification of the representative. This could be by indicating their identity on the business’ website.
The EU GDPR also specifies the obligations of the representatives which have been appointed. These include the obligation under Article 30 to keep a record of the processing activities which are under its responsibility and the obligation under Article 31 to cooperate with a supervisory authority’s request in relation to their tasks.
The EU GDPR is further supported by the European Data Protection Board (EDPB) guidelines. In particular, these guidelines provide:
- that the representative has a facilitative responsibility (the purpose of which is to aid communication between the controller and processor and the data subjects);
- that they must communicate with the supervisory authority in a common language to the data subjects and authority; and
- that, even though the controller and processor is responsible for the initial content, the representative must be able to provide the information when it is requested.
Failure to comply
Where an organisation meets the Requirements but fails to appoint a representative, the maximum penalty under the EU GDPR is an administrative fine of up to €10,000,000 or up to 2% total worldwide annual revenue of the preceding financial year (whichever is higher).
If you require any further information about appointing a representative in the EU or EEA, or require information in relation to their responsibilities or enforceability against them, please email or phone our Commercial Law team on 0113 207 0000.