If you are settled outside the United Kingdom, whether in or outside the European Union and you process UK citizens’ data, you need a UK representative. Our experts support you in this process.
On June 28th, 2021 the EU Commission adopted decisions regarding the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission found the UK adequate. This means that most data can continue to flow from the EU and the European Economic Area (EEA) without any need for additional guarantees.
The adequacy decisions do not cover data transferred to the UK for the purposes of:
For this kind of data, different rules apply and the EEA sender needs to put other transfer guarantees in place.
An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does.
On June 28th, 2021 the EU Commission published two adequacy decisions in respect of the UK:
These decisions contain the European Commission’s detailed assessment of the UK’s laws and systems for protecting personal data, as well as the legislation designating the UK as adequate.
Both adequacy decisions are expected to remain into force until June 27th, 2025. As from 2024, the European Commission will decide whether to extend or not the adequacy decisions for the UK for a further period up to a maximum of another four years.
The EU GDPR adequacy decision states that the UK provides adequate protection for personal data transferred from the EU to the UK under the EU GDPR.
However, transfers of personal data for the purposes of UK immigration control, or which would otherwise fall within the scope of the immigration exemption in the DPA 2018, are excluded from the scope of the adequacy decision. This may also affect which version of the data protection regime applies in the UK to data processed for immigration control purposes.
The LED adequacy decision also states that the UK provides adequate protection for personal data transferred from EU authorities responsible for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
If you are settled in the UK and do not have a branch, office or other establishment in any other EU or EEA state, but you either:
then you still need to comply with the EU GDPR regarding this processing.
As you do not have a base inside the EU or EEA, the EU GDPR requires you to appoint a representative in the EU or EEA. This representative needs to be set up in an EU or EEA member state where some of the individuals whose personal data you are processing in this way are located.
You must, in writing:
In the event of a request or inspection by the authorities, the representative’s contact details must be readily available and traceable.
Your representative may be an individual, or a company or organisation established in the EU or the EEA, and must be able to represent you regarding your obligations under the EU GDPR. Having a representative does not affect your own responsibility or liability under the EU GDPR.
If you are concerned, we’ll invite you to see our page “Eu Representative” and to contact us. We will be happy to help you.
The UK were a member state of the EU before Brexit. Since January 1st, 2021 the UK is not part of the EU anymore. But it has implemented EU GDPR within its local UK laws. This is the reason why the role of the EU representative is imitated in the UK via the UK representative role.
If you are settled outside the UK and do not have a branch, office or other establishment within the UK, but you either:
then you will need to comply with the UK GDPR regarding this processing after the end of the transition period.
If you will not have a base inside the UK after the transition period ends, the UK GDPR will require you to appoint a representative in the UK. You will need to authorise the representative, in writing, to act on your behalf regarding your UK GDPR compliance, and to deal with the ICO and data subjects in this respect.
Your representative may be an individual, or a company or organisation settled within the UK, and must be able to represent you regarding your obligations under the UK GDPR.
An EEA based sales company is not based in the UK but one of its client is settled within the UK. The company must appoint a UK representative to act as its direct contact for data subjects and the ICO.
The company will have to include the name of its UK representative in the information it provides to the data subjects, for example in its privacy notice. It does not need to inform the ICO but the details should be easily accessible to the ICO.
Under GDPR Article 27, an EU representative must be appointed by a company (data controller or data processor) without an EU establishment if it sells to the EU or monitor people there.
Under the UK GDPR, there will also be an obligation to appoint a UK representative if a company without a UK establishment sells to the UK or monitors businesses there.
The result is that companies without an office in either the EU or the UK but processing personal data of EU and UK citizens will need to appoint both.
A summary of the position now and post-Brexit