What Is a UK Representative and Why Do You Need One?
Natacha has held several senior positions within the Foreign Office, including as the Deputy Ambassador for China and Director for Economic Diplomacy and Emerging Powers. She has also worked on international trade policy and development issues.
Companies that are not based in the UK must comply with UK privacy laws. They must appoint a representative in the UK to serve as their point of contact for avon representative data subjects, as well as the ICO.
What is an UK representative?
The UK Representative is an individual, company or organisation mandated in writing by a processor or controller of data to act on behalf of the controller or processor regarding all aspects of GDPR compliance. They will be the primary contact point for any inquiries from data subjects who exercise their rights or requests from supervisory authority. They could also be subject to national laws which have been imposed due to the GDPR’s extraterritorial reach (see the UK case Rondon against LexisNexis Risk Solutions).
The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of a representative. This requirement applies to all companies that do not have a permanent location in the United Kingdom but offer goods or services, or observe the actions of individuals located there or who process personal data. The representative must be able proof of their identity as well as that they are capable of representing the data controller or processor in respect to the UK GDPR’s requirements.
The Representative must be able to communicate with authorities in the event of an incident. The representative must inform the supervisory authority that appointed them regardless of whether or not the breach affects data subjects in multiple jurisdictions.
It is crucial that the representative you choose has worked with both European and UK data protection authorities. It is also recommended for them to speak a local language since they are likely to receive contacts from individuals and agencies in the countries where they operate.
The EDPB states that the Representative is responsible for non-compliance. However, the UK case of Rondon v. LexisNexis UK Ltd. (2019) EWHC1427 has confirmed that a representative is not able to be sued by anyone who believes that the controller of the data did not meet the GDPR requirements in the UK. This is because according to the court, the Representative has no direct connection with the data processing activities carried out by the representative entity.
Who should be appointed an UK Representative?
The EU GDPR mandates that businesses outside of the EU, without an office or branch in the EU and that are targeting goods or services for European citizens, must designate a Representative. This is in addition to requirements from national data protection laws. A representative’s job is to serve as a local point-of-contact for individuals and supervisory bodies in relation to GDPR issues.
The UK has a similar requirement to the EU that is described in Article 27 of UK-GDPR. As with the EU requirement, the threshold is low for any company that provides products or services to, or monitors the behaviour of data subjects in the UK must appoint a UK representative.
Under the UK-GDPR, a representative must be formally authorized “to be additionally or alternatively, addressed on behalf of the controller or processor by the data subjects and the British Information Commissioner’s Officethe [British Information Commissioner’s Office]”. They cannot be held personally accountable for GDPR compliance. However they must cooperate with supervisory authorities in formal proceedings and receive information from data subjects who exercise their rights (access request and right to be forgotten etc. ).
Representatives should be located in the member state of the European Union in which the individuals whose personal data are processed are resident. Most of the time, this isn’t a straightforward decision to make. A thorough analysis of legal and business aspects is required to assess the location(s) most suitable for an organization. We offer a dedicated service that assists businesses to evaluate their needs and select the most appropriate representative location.
It is also advisable that representatives have experience interacting with both supervisory authorities and handling data subject requests. Language skills in the local language can also be important, as the job may require dealing with inquiries by data subjects or supervisory authorities in multiple countries throughout Europe.
The identity of the representative should be clarified to data subjects by including their information in privacy policies as well as the information provided to individuals before collecting their data (see Article 13 UK-GDPR). The UK Representative’s contact information should be posted on your website, giving easy access for supervisory authorities to contact them.
When do you need to designate an UK Representative?
If your company is located outside the UK and offers goods or services to the UK or monitors the behavior of individuals, you could be required to appoint a UK Representative. The UK’s applied EU GDPR regime is available to non-UK established companies that are performing activities in the UK. It has the same extraterritorial reach as EU GDPR, with some exceptions. Take our free self-assessment and check if you’re required to comply with this obligation.
A representative is appointed by the appointing entity in a service contract to represent that entity with regard to specific obligations under UK and EU GDPR, if applicable. In the UK this would typically involve facilitating communications between the appointing entity and Information Commissioner’s Office or any data subjects that are affected in the UK. Representatives can be an individual or a company which is based in the UK. The body that appointed them must inform the subjects of data that the Representative will be processing their personal data and that the identity of the individual or business is readily accessible to supervisory authorities.
The appointing entity must also provide the contact information of its representative to ICO and all data subjects affected in the UK in accordance with Article 13 and 14 of UK GDPR. It is essential to clarify that the representative’s job is different from that of the role of a Data Protection Officer (DPO), which requires a degree of autonomy and independence that is that is not available to the role of a representative.
If you need to appoint an UK representative it is recommended to do so as quickly as possible. This is because the requirement arises immediately following Brexit (if there is either a ‘hard’ or “no deal’ Brexit) or after an implementation period (if there is a soft or ‘with deal’ Brexit). There is no grace period.
What are the requirements to become a UK representative?
According to UK data protection laws the definition of a representative is a person, or a business who is “designated” in writing by an entity that doesn’t have a physical presence in the UK, but is still subject to the law. The UK representative should be capable of representing the entity in compliance with its legal obligations and their contact information should be made readily available to those in the UK who have personal data being processed by the non-UK company.
The individual who is the UK representative sales must be a senior worker of the media or business organisation and have been recruited and taken on as an employee outside of the UK by that business or media organisation. The visa applicant must plan to serve as the UK representative of the business or media organisation full-time, and must not be engaged in other business activities in the UK.
In addition the visa applicant must demonstrate the required skills and experience to fulfill their duties as a UK Representative which includes serving as the local contact for inquiries from data subjects as well as the UK data protection authorities. The UK Representative must possess sufficient knowledge and understanding of UK data protection laws to be capable of responding to queries or requests from data protection authorities and individuals exercising their rights.
As the Brexit process continues, it is likely the UK data protection laws will change in the future. However, at present it is expected for companies from outside the UK that conduct business in the UK and collect personal data of individuals in the UK to nominate UK Representatives.
This is because article 27 of the UK’s GDPR that was adopted as an UK national law, requires companies without any presence in the UK to nominate an UK representative for data protection. If you are unsure of whether you need to designate the position of a UK avon representative (just click the following web page) for data protection It is suggested consult an experienced legal advisor.