Two years since the implementation of GDPR the EU has launched a review into its effectiveness. The press release stressed that GDPR has been a success since it was introduced and identifying areas for further work. These included ensuring the GDPR was applied consistently across Europe as there are still critics of the new data protection standards. There was also a reference to the UK leaving the EU and the need to ensure that proper application of GDPR standards must be part of any Brexit agreement.
So what are the potential data protection impacts that businesses need to focus on as the end of the transition period between the EU and the UK following Brexit comes to an end?
As with Brexit at the end of January 2020, if there is an agreement with the EU on the terms of ongoing trade between the parties, data protection issues will be minimal although there is a requirement for UK businesses to appoint a local Representative if they sell goods or services into the EU or monitor EU citizens.
Guidance adopted by the European Data Protection Board in November 2019 set out some of the rules around appointing a Representative as follows:
- One representative can be appointed for several data processing activities of a non-EU entity
- Only one Appointed Representative is required to cover several EU Member States.
- The appointee should be based in the Member States where most of the organisation’s data subjects reside.
- A Data Protection Officer may not be an Appointed Representative due to conflict of interest.
- The Appointed Representative will not be directly liable for data protection compliance failures of the organisation they represent but will be a channel through which the organisation itself can be held liable.
- The appointment of a representative within the EU does not constitute an “establishment” of the controller or processor.
If there is no trade agreement between the UK and the EU at the end of 2020, then there will be an issue around the transfer of personal data between EU Member States and the UK and vice versa. The solution, as with Brexit, is either to put agreements in place incorporating the Standard Contractual Clauses approved by the EU and UK or, when dealing direct with consumers, to obtain their informed consent to the transfer of the data.
The practical issues that need to be covered in the written agreement appointing the Representative will be covered in a further blog in July 2020.
Mandy Webster, Data Protection Consultant
It’s good to know that a single representative can be appointed to cover several different processing activities and multiple EU Member States. This will make the requirement much easier to work with in practice!