If you are based in or outside the European Union and interact with personal data of UK citizens, you need a representative in the UK. Our experts can help you do just that.
On June 28, 2021, the European Commission adopted decisions on the UK’s compliance with the EU’s General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED). In both cases, the European Commission found the UK to be compliant with both. This means that most data can continue to flow from the UK without the need for additional safeguards.
However, the adequacy decisions do not cover data transferred to the UK when it is:
For this type of data, different rules apply and the sender must have other transfer safeguards in place.
An adequacy decision is a formal decision taken by the EU that recognizes that another country, territory, sector, or international organization provides an equivalent level of protection for personal data as the EU.
On June 28, 2021, the European Commission issued two adequacy decisions regarding the United Kingdom:
These decisions issued by the European Commission remain in effect until June 27, 2025.
The European Commission will revisit the issue in 2024 to decide whether to extend them for an additional period of up to four years, or not.
The adequacy decision states that the UK provides adequate protection for personal data when it is transferred from the EU to the UK.
However, data transfers for UK immigration control purposes, or falling under the immigration exemption in the DPA 2018, are excluded from the scope of the adequacy decision.
The LED adequacy decision also states that the UK provides adequate protection for personal data transferred by EU authorities responsible for the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties.
If you are based in the UK and do not have a branch, office or other establishment in any of the EU or EEA member states, but you:
then you must still comply with GDPR with respect to those personal data processing operations.
If you do not have an establishment in the EU or EEA, the GDPR requires you to appoint a representative. This representative must be established in an EU or EEA state where the personal data you process is located.
You must, in writing:
In the event of a request or inspection by the authorities, the representative’s contact information must be readily available and findable.
Your representative may be an individual, a company, a consultancy or an organization established in the EEA, and must be able to represent you in relation to your obligations to comply with GDPR.
If this applies to you, we invite you to visit our ” EU Representative” page, and to contact us.
The United Kingdom was a member state of the European Union until Brexit, which took effect on January 1st, 2021. As such, the UK was subject to GDPR and implemented it into its own local law. This explains why the role of the EU representative has a “double”, or “mirror” in the UK, embodied in the UK representative.
If you are based outside the UK and do not have a branch, office or other establishment in the UK, but you :
you must comply with the UK GDPR with respect to such data processing. This compliance involves the appointment of a representative in the UK.
You will need to, in writing, authorize the representative to act on your behalf with respect to your compliance with the UK GDPR, and to deal with the ICO and data subjects. The representative can take many forms : an individual, a company, a consultancy or an organization based in the UK. Having a representative will not affect your own responsibility or liability under the UK GDPR.
Example:
An EEA-based product sales company has no offices in the UK, but has a regular customer base there. The company must appoint a UK representative to be its direct contact with data subjects and the ICO.
The company will need to include the name of its representative in the information it provides to data subjects. It is not required to inform the ICO, but the contact details of the representative in the UK must be readily available to the supervisory body.
Under Article 27 of GDPR, an EU representative must be appointed by a company (data controller or processor) without an establishment in the EU if it sells goods/services to the EU, or if it or supervises individuals/businesses.
Under the UK GDPR, a business without an establishment in the UK that sells or supervises people/businesses in the UK is obliged to appoint a representative in the UK.
The result is that businesses not established in the EU or the UK but processing personal data of UK citizens will have to appoint both.
Summary of the current and post-Brexit situation
| Controller | Sells only in the UK | Sells only in the EU | Sells to UK and EU |
| Only to UK | Nothing | An EU Representative is required | An EU Representative is required |
| Only in the European Union | A UK Representative is required | Nothing | A UK Representative is required |
| Only in the rest of the world | A UK Representative is required | An EU Representative is required | An EU and UK Representative are required |
| In the UK and EU | Nothing | Nothing | Nothing |