Summary: If your company is not established in the United Kingdom (UK) from 1 January 2021, but offers goods or services there, or if it monitors the behaviour of persons in the UK, it must appoint a representative there.
If your company is not established in either the EU or the UK from 1 January 2021, you may need to appoint a representative in both the EU and the UK.
Does This Requirement Also Apply To My Company?
The United Kingdom left the EU on 31 January 2020 (Brexit). There is a transitional period until 31 December 2020. After that, as things stand at present, the EU’s General Data Protection Regulation (GDPR) will be incorporated into UK law (“UK GDPR”). According to the UK GDPR, the following requirements for the appointment of a UK representative will then apply:
In short, if your company is not established in the United Kingdom but offers goods or services there or if it monitors the behaviour of persons in the United Kingdom, it must appoint a representative there.
What Does “Offering Goods or Services” Mean?
The definition is very broad: For example, if you run a SaaS business that does not explicitly exclude UK users, you are providing a “service” to individuals in the UK. If you run a webshop with an English user interface and offer shipping to the UK, you are also offering “goods”. In short, if you do business in any way with individuals residing in the UK (not just citizens), your business falls into this category.
What Does “Observe the Behaviour of Affected Persons” Mean?
If your company operates a website or web shop where cookies or social plugins are used to enable tracking or profiling of your visitors, there is a high probability that this could be considered as “monitoring the behaviour” of individuals.
When Is My Company “Established” in the UK?
If your company (or any of its subsidiaries) is registered and/or has a place of business in the UK, it is deemed to be “established” there.
How Do I Find a UK Representative?
We can arrange UK representatives in the UK through our network. Please feel free to contact us (firstname.lastname@example.org).
What Is the Role of the Representative and How Do I Appoint One?
The representative is a person or body who acts as a point of contact, in particular for supervisory authorities and data subjects, for all questions relating to the processing of personal data. The representative must be appointed in writing to the Information Commissioner’s Office (ICO), the UK’s data protection authority. This is usually done by the representative themselves on your behalf as their first official act. In practice, it is best to appoint a law firm or legal service provider as a representative – they usually have extensive experience in data protection law and a direct line to the regulator.
Do I Also Have To Appoint a Representative in the EU?
If your company is not established in the EU but provides goods or services there and/or monitors the behaviour of individuals in the EU, you must appoint a representative in the EU in addition to the UK representative (for more information on the EU representative, click here). This means that if your company is not established in either region, you may need to appoint two separate representatives for both regions.
It is sufficient to appoint only one EU representative for the whole EU. In the EU, you have some flexibility in choosing the Member State where the representative is to be appointed: In principle, you are free to choose among the (remaining) 27 Member States. However, the representative must be appointed in a Member State where at least some of the persons whose personal data your company processes are located. This means, for example, that you cannot appoint a representative in Malta if you offer your services exclusively to German citizens.
What Other Implications Does Brexit Have for Data Protection in the EU and the UK?
The UK government has prepared the adoption of a separate version of the GDPR (“UK GDPR”) by amending the 2018 Data Protection Act. It is expected that, from 1 January 2021, the substantive data protection requirements will be similar to those in the EU. However, it remains to be seen to what extent the UK government will “customize” its own version of the GDPR, what rules may be interpreted differently and how businesses will have to react to these changes.
Data transfers between the EU and the United Kingdom are initially subject to the requirements for third country transfers (Chapter V of the GDPR). Measures such as the EU Standard Contractual Clauses may therefore need to be used for such transfers. However, it is expected that the EU Commission will adopt an “adequacy decision” for the UK in the foreseeable future. This would mean that an EU company would be able to “export” data from the EU to the UK without additional measures. It is also expected that the UK will allow data exports from the UK to the EU without additional requirements. However, further developments should be monitored.
More information and background
For more information, please consult the following sources:
- The Information Commissioner’s Office (ICO), the UK’s data protection authority, has recently published a guide on this subject.
- The UK government has published a so-called “keeling” plan outlining the planned changes to the 2018 Data Protection Act.
- The European Data Protection Committee (EDPB) has published an additional guide on “GDPR data transfers in the case of no-deal Brexit