Appointing a Representative in the EU

Two years since the implementation of GDPR the EU has launched a review into its effectiveness. The press release stressed that GDPR has been a success since it was introduced and identifying areas for further work. These included ensuring the GDPR was applied consistently across Europe as there are still critics of the new data protection standards. There was also a reference to the UK leaving the EU and the need to ensure that proper application of GDPR standards must be part of any Brexit agreement.

So what are the potential data protection impacts that businesses need to focus on as the end of the transition period between the EU and the UK following Brexit comes to an end?

As with Brexit at the end of January 2020, if there is an agreement with the EU on the terms of ongoing trade between the parties, data protection issues will be minimal although there is a requirement for UK businesses to appoint a local Representative if they sell goods or services into the EU or monitor EU citizens.

Guidance adopted by the European Data Protection Board in November 2019 set out some of the rules around appointing a Representative as follows:

One representative can be appointed for several data processing activities of a non-EU entity
Only one Appointed Representative is required to cover several EU Member States.
The appointee should be based in the Member States where most of the organisation’s data subjects reside.
A Data Protection Officer may not be an Appointed Representative due to conflict of interest.
The Appointed Representative will not be directly liable for data protection compliance failures of the organisation they represent but will be a channel through which the organisation itself can be held liable.
The appointment of a representative within the EU does not constitute an “establishment” of the controller or processor.

If there is no trade agreement between the UK and the EU at the end of 2020, then there will be an issue around the transfer of personal data between EU Member States and the UK and vice versa. The solution, as with Brexit, is either to put agreements in place incorporating the Standard Contractual Clauses approved by the EU and UK or, when dealing direct with consumers, to obtain their informed consent to the transfer of the data.

The practical issues that need to be covered in the written agreement appointing the Representative will be covered in a further blog in July 2020.

Mandy Webster, Data Protection Consultant

About the Author: mandy.webster

Since June 1999 Mandy Webster has been a freelance consultant offering audit, advice and training on privacy, information security and e-commerce issues as Data Protection Consulting Limited. The company’s mission is to help clients from a variety of sectors, and of all sizes, comply with data protection law and to that end it offers a range of solutions. Mandy, a qualified lawyer, is author of ‘Data Protection for the HR Manager’ and ‘Data Protection in the Financial Services Industry’ published by Gower and “Effective Data Protection” and ‘The ICSA Data Protection Troubleshooter’ published by ICSA Publishing Limited. Mandy is a well-known writer, commentator and speaker on data protection.

One Comment

Joy Higham August 12, 2020 at 3:16 pm - Reply

It’s good to know that a single representative can be appointed to cover several different processing activities and multiple EU Member States. This will make the requirement much easier to work with in practice!

Appointing a Representative in the EU

Update on data transfers from the EU to the UK

The Final Countdown

Requirement for an EU establishment or Appointed Representative following the end of the Brexit Transitional Period

Exit day changes

Brexit planning update

Appointing a Representative in the EU