Following the UK’s exit from the EU, some organisations that routinely process personal data of individuals within the UK and EU are now required to appoint a data protection representative.
If you are an organisation doing business in the UK or EU without a presence in either location, you may need a representative to ensure you meet your General Data Protection Regulation (GDPR) obligations under Article 27 of the UK or EU GDPR.
Our Data Protection team can advise you if this applies to you, help you find a representative and ensure you have the right documentation and customer communication in place.
If you are a UK-based organisation offering services or goods in the EU, but with no EU base, and are processing personal data of individuals in the EU, or monitoring their behaviour, you may require an EU representative to comply with Article 27 of the EU General Data Protection Regulation (GDPR).
Similarly, if your organisation is based outside the UK, offering services or goods to individuals in the UK, but with no UK base and processing personal data of, or monitoring the behaviour of individuals in the UK, you may require a UK representative to meet your obligations under Article 27 of the UK GDPR.
Public authorities are not required to appoint a representative and the requirement may not apply to your organisation if you only engage in occasional, low-risk personal data processing activities.
We can advise you as to whether the requirement applies to your organisation and help you find a representative if it does.
The role of a representative is distinct from the Data Protection Officer (DPO). The main active duties of a representative are to act as a link between a non-UK or non-EU organisation and data protection authorities (such as the ICO) and a point of contact for data subjects.
The representative is also responsible for maintaining the organisation’s record of personal data processing activities. The nature of duties carried out by a representative may vary depending on the type and volume of data processing activities undertaken by the organisation.
Representatives must be formally authorised to act on your organisation’s behalf. The appointment should be made in writing.
Organisations must provide data subjects with contact details for the representative, which can be incorporated into your organisation’s privacy notice. We can advise you on the necessary customer communication and make sure you have the right documentation in place.
Thorntons’ specialist Data Protection team is on hand to provide you with expert advice on the impact of the UK’s exit from the EU on your organisation’s data processing activities and to help you navigate the complexities of appointing a representative for your organisation.
If you think you need to appoint a UK or EU representative or are not sure if your organisation is compliant with Article 27, please call our specialist Data Protection team on 03330 430350 for more information on how we can help. Or complete our online enquiry form and an expert from our Data Protection team will call you back.