Data Protection Compliance After Brexit

October 9, 2019

Appointing an EU Representative

Following our successful webinar on The Implications of Brexit on Contracts, we received quite a few follow up questions about post-Brexit GDPR compliance for UK organisations who have customers or contacts in EU member states.  

It is becoming quite clear that many businesses of all sizes are unprepared and don’t have a resource, budgets or a roadmap to help them become prepared. This Blog looks to help set one issue straight – well, straighter, given the level of uncertainty.

Scope of GDPR

Under the General Data Protection Regulations 2016 (GDPR), organisations that process individuals’ personal data must make sure that the rights of those individuals are protected. 

The GDPR applies to organisations that

  • provide products or services in the EU, or
  • monitors the behaviour of individuals located in the EEA.

This includes either providing direct services to individuals (as a data controller) or if the organisation acts as a data processor on behalf of the controller.

The GDPR applies to any organisation no matter where it is located, as applies to where the processing takes place if it relates to personal data about individuals residing in the EU.

Requirement to appointment an EU Representative

One consequence of Brexit will be that UK organisations will need to take additional steps to comply with the GDPR in relation to any EU customers OR contacts.    

While this has been an obligation since the GDPR came into force, commentators have been waiting to see if the terms of any Brexit withdrawal arrangement might allow for a transition arrangement or an exemption for UK based businesses.  To date, this has not been forthcoming, and so UK based data controllers and processors must comply with Article 27 if they don’t have an EU branch, etc. 

The GDPR (Article 27) requires that “the controller or the processor shall designate in writing a representative in the Union”.  For these purposes, the Union means the remaining 27 EU member states plus Iceland, Liechtenstein and Norway.   

This means that once the UK leaves the EU, if your UK based organisation does not have a branch, office or other establishments in any other EU or EEA state, but who process information about individuals in the EEA you must appoint a representative in the EU to act on their behalf.  

 

***This obligation also applies to organisations based in the rest of the world who don’t have a branch or office in the EU.***

 

Having a representative does not affect your own responsibility or liability under the EU GDPR.

If Article 27 applies to your business and if you fail to appoint a Data Protection Representative you could be fined up to (the greater of) €10,000,000 or 2% of global turnover (Article 84(4)(a)).

 

What is the background reason for this?

The GDPR protects the rights of individuals, by giving them information and access rights about who holds their personal information and why and how that information is held.  If an organisation doesn’t have an EU based contact, it makes it harder for EU citizens to exercise their rights.  

.

Scope of the appointment

  • The Representative will need to be set up in an EU or EEA state where some of the individuals whose personal data the organisation is processing in this way are located.  
  • The appointed Representative (which can be an individual or a company) must act as your main contact for any questions and concerns regarding data protection from any EU citizen or any data protection supervisory authority.  
  • Your Representative must be authorised, in writing (usually under a service agreement) which should set out the terms of your relationship with them.  
  • You should appoint the Representative to act on your behalf on matters of your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.

Informing individuals and regulators

  • You must inform the affected EEA-based individuals and provide them with the details of the Representative. This may be done by including information in your privacy notice or in the upfront information that you provide to individuals when their data is collected.  
  • This information must also be easily available to the relevant supervisory authorities – for example by publishing details on your website.

Finding a suitable representative

As the Representative is customer-facing and the face of a company’s compliance in the EU, care must be taken in choosing a suitable representative.  Initially, there seemed to be not many wanting to provide this service, given the liability of the Representative (who is subject to enforcement proceedings in the event of non-compliance by the controller or processor).

However, more service providers have come forward, and a quick search online will come up with a fair number now offering the service.  When deciding which is right for you, you should consider which is the most suitable jurisdiction.

While the GDPR only requires “a” Representative to be appointed in a member state where customers are based, given the difference between different EU member states interpretation of the GDPR processes, and cultural differences between the various member states, you may want to consider appointing a number of Representatives if this is economically feasible for you.  

 

A red flag warning 

If you don’t have a base in the EU and you don’t have details of your Representative in your customer-facing privacy notice, it is immediately apparent that you will have failed to meet the Article 27 duty. This is a red flag that you may have other incidents of potential non-compliance elsewhere.  Whereas, if you comply with Article 27, and provide details of your Representative, this shows that you are taking GDPR compliance seriously.

 

How we can help you

At LawBite, we can help guide businesses through the maze of implications on Brexit on their business, including how it may affect GDPR compliance.  We can help with all aspects of Business law advice including:

  • Carrying out reviews of your current GDPR compliance, highlighting risks and suggesting steps forward
  • Advice on GDPR compliant Data Processing Agreements and data processing transfer advice 

 

Our lawyers provide expert legal advice to your business to ensure that your contacts are appropriate and robust. We also offer to review your terms and conditions and recommend updates and improvements to make them more effective and better suited to your business.

For more information, or for advice on the appointment of an EU Representative including drafting or amending your Privacy Notice or compliance documents, please get in touch with us at [email protected]