I am a partner in our London office, looking after the Bird & Bird Privacy Solutions service line, within the Privacy & Data Protection team. I supervise Privacy & Data Protection compliance and consultancy engagements, which include Data Protection Officer and GDPR Representative services, across industries.
With a Brexit trade deal now having been agreed, a number of data protection compliance actions must be considered by organisations, including whether the appointment of an article 27 representative in the UK and/or the EU is necessary.
What is 'a representative' and who does it apply to?
A representative is a local point of contact for the organisation they represent, who can communicate with individuals and data protection authorities on behalf of the organisation in relation to data protection matters.
In the EU, the GDPR requires organisations not established in the EU to appoint a representative in an EU member state (or the EEA), if (i) the organisation if it is apparent that the organisation intends to offer goods or services to individuals in the EU or (ii) it monitors the behaviour of individuals in the EU (or the EEA). At the end of the December 2020 (and now that a Brexit trade deal has been agreed), organisations only established in the UK will be required to appoint an EU representative monitors the behaviour of individuals in the EU, or if it is apparent that the organisation intends to offer goods or services to individuals in the EU.
In addition to this (now that a Brexit trade deal has been agreed), organisations not established in the UK but who (i) are offering goods or services to individuals in the UK or (ii) monitoring their behaviour will be required to appoint a UK representative, in order to comply with UK data protection law. This has been confirmed by the UK Data Protection Authority (i.e. the Information Commissioner's Office), which has stated that ''the UK government intends that after UK leaves the EU, the UK GDPR will require organisations located outside of the UK, but which still have to comply with the UK GDPR, to appoint a UK representative''.
What does this mean in practice for organisations?
Following the end of the transition period at the end of December 2020:
Organisations established outside the EU and the UK: currently, these organisations require one representative based in the EU. Following the end of the transition period, these organisations may need an additional representative. If the organisation's current representative is based in the UK, but the organisation sells to or monitors individuals in the EU, an additional EU representative will be required to comply with the GDPR. If the organisation's current representative is based in another EU member state, but the organisation sells to or monitors individuals in the UK, a UK representative will be required to comply with UK law.
Alternatively, it may prove cost-effective to appoint an outsourced representative with establishments in both the EU and the UK which can act on the organisation’s behalf in both cases.
Organisations established in the UK: organisations established in the UK but which offer goods or services to, or monitor, individuals in the EU will need to appoint a representative in an EU country following the end of the transition period.
Organisations established in other EU countries: organisations established in the EU but not in the UK, which offer goods or services to, or monitor, individuals in the UK will need to appoint a representative in the UK following the end of the transition period. This will be needed in order to comply with UK data protection law.
What do you need consider when appointing an EU and/or a UK representative?
Assess where you need a representative (UK and/or EU) considering your current and future business operations
Consider whether your business foresees an expansion which will lead to a new market. Will you need a representative in the UK and/or the EU as a result of this?
Find the best business option to minimise the cost of appointing representative(s) (e.g. a representative located in the jurisdiction required).
While a UK representative is relatively straightforward in terms of the representative's location, non-EU organisations will need to assess carefully when choosing where to appoint their EU representative.
Representatives should be located in a jurisdiction in which there are individuals whose data is being processed, but if the individuals are located in multiple countries the organisation will need to make a choice about where to appoint them. In many cases this will not be an obvious choice and a business and legal analysis will be needed to assess where a representative can most effectively fulfil their role.
If an organisation processes data from individuals in multiple EU countries, the representative must remain easily accessible to the individuals in all those countries, and must be able to communicate in the language used by the individuals and supervisory authorities of each of those countries.
An outsourced representative with an international presence will make it easier to have a representative easily accessible to individuals and supervisory authorities in different countries, with the language skills required to communicate with them
Flowchart for EU/UK reps
The flow chart below can help you determine what route to go down when deciding whether, and where, to appoint a representative.