EU Representatives of UK companies under GDPR in light of Brexit
As of 01.01.2021 the UK is officially no longer part of the European Union. From a GDPR legal perspective this means that UK companies must make certain changes in their approach if their business includes personal data processing of EU clients. As the UK now has a status of a third country to the EU, all UK companies need to meet certain requirements in respect to personal data transfers and appointment of a GDPR EU Representative.
Unlike personal data transfers, for which the EU and UK reached an agreement for a transition period as per the signed Trade and Cooperation Agreement, the obligation of UK controllers/processors to appoint an EU Representative is in full effect as of 01.01.2021. UK companies must comply with this obligation and further update their privacy notices in order to include details of their GDPR Representative in the EU. In this regard, the following presents a short summary to what an EU Representative under the GDPR is, what are its functions and what are the requirements which non-EU companies (now including UK companies as well) might need to consider in order to be compliant with GDPR rules.
Legal framework
The figure of EU Representative is introduced in article 17 of the GDPR which describes its main functions. However, The European Data Protection Board has set some further details for non-EU companies to consider with the adopted Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) (“The Guidelines”). These Guidelines provide very helpful clarifications on whether a non-EU company falls under the scope of GDPR, but also on some important principles for the appointment, obligations and liability of EU Representatives.
Both GDPR and the Guidelines shed more light into the legal figure of the EU Representative.
Appointment of an EU Representative
First it needs to be outlined that the appointment of an EU Representative is mandatory for all companies which either offer goods or services to EU citizens or monitor their behavior as far as their behaviour takes place within the EU. GDPR requires that such a Representative is established in one of the Member States where the data subjects are located. Where there are data subjects located in different EU Member States, the EDPB Guidelines clarify that it is good practice (but not mandatory) to establish an EU Representative in a Member State where the largest number of their data subjects are based. In each case, there needs to be an adequate mechanism for easy access to the EU Representative by the data subjects and Data Protection Authorities.
As per the Guidelines, there is no need to appoint a separate EU Representative for each data processing activity. However, the function of the EU Representative is not compatible with the role of any EU based processor or DPO as each role needs to be independent due to the risk of conflict of interests.
The EU Representative acts upon a mandate from the non-EU company. Following the obligations set in art. 13, par. 1 (a) and art. 14, par. 1 (b), the identity and contact details of the EU Representative are to be included in the controller’s/processor’s privacy notices to the data subjects prior to the collection of their data. This information should also be easily accessible to the relevant supervisory authorities in order to facilitate the establishment of contact for cooperation needs.
Role and activity of the EU Representative
The main role of the EU Representative is to be the main point of contact for data subjects and data protection authorities.
In respect to data subjects rights, the EU Representative manages all requests, complaints and objections in regard to the controller’s/processor’s personal data processing activities, and facilitates the communication between the data subjects and the controller/processor in order to make the exercise of data subjects rights more effective.
It also acts as point of contact of the data controller in the communication with data protection authorities in order to assure cooperation for data protection compliance.
The EU Representative is obliged to hold, maintain, and provide to supervisory authorities the Article 30 GDPR records of processing activities of the controller/processor. This obligation is to be distinguished from the obligation to prepare these records. The latter duty rests with the controller/processor under its general obligation for GDPR compliance. However, it is the EU Representative’s responsibility to be able to provide these records when requested by an EU data protection authority.
Liability
As a general rule, the liability for non-compliance with the GDPR rules falls on the data controller/processor. This principle is further confirmed by the EDPB Guidelines which state that “The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union”. However it is also clarified that the concept of the EU Representative aims to facilitate and ensure effective enforcement of GDPR rules against non-EU controllers or processors falling in the scope of Art. 3, par. 2. Therefore supervisory authorities may address to the EU Representative any corrective measures or administrative fines and penalties imposed on the non-EU data controller/processor.
Without prejudice to the above, an EU Representative is only directly liable before data protection authorities for its non-compliance with its art. 30 GDPR records management obligations as well as assisting the supervisory authorities with their investigations under art. 58, par. 1 GDPR.
Conclusion
The departure of the UK from the European Union provides some challenges to UK companies which conduct their activities with EU clients. From a data protection perspective, the new role of the UK as a third country to the EU brings the need for adaptation of companies’ data protection policies and procedures. In this regard one of the most important objectives seems to be the appointment of an EU Representative in order to assure GDPR compliance.
Popov, Arnaudov & Partners provides the services of EU GDPR Representative. If you are interested to understand more e-mail us on dataprotection@popovarnaudov.bg
Author: Ivan Volodiev