The long-awaited agreement between the UK and the EU has finally arrived! And it reshuffles the cards regarding transmission of personal data from the EU to the UK. But does it also impact the UK-based controller or processor’s obligation to designate a GDPR-representative in the EU?
Territorial scope of the GDPR
When the GDPR was adopted, one of the objectives was to establish a territorial scope as wide as possible. Consequently, the GDPR does not only apply to companies established in the EU. The EU establishment may be a headquarter or a simple office.
It also applies to businesses not established in the EU (as UK-businesses since January 1st, 2021) that:
- offer goods or services to data subjects in the Union. It can be through an e-commerce site, with prices in euros.
- or monitor the behaviour of data subjects within in the EU (profiling, prediction of preferences, behaviours and attitudes. It covers the use of Cookies, Javascript, Facebook, Wechat, …);
- or act as a processor for a controller established within the EU.
The EU GDPR-representative
If a company does not have any establishment in the EU, it has to designate a “GDPR-representative”.
The EU representative accounts for the data controller or processor. He/She acts as the point of contact in the EU, between the data controller or processor and the data subjects or the supervisory authority.
This designation can only be avoided in some particular cases:
- if the processing is occasional, and does not include, on a large scale, processing of special categories of data (listed in article 9 (1) of the GDPR) or processing of personal data relating to criminal convictions and offences (article 10 of the GDPR); or
- when the processing is being carried out by a public authority or body.
What about the UK since the recent UK-EU agreement?
Since the UK is no longer part of the European Union, UK-based controllers/processors also have to designate a GDPR-representative. The EDPB recalled it in a statement in the mid-December 2020. The recent agreement between the EU and UK does not change anything.
Indeed, the agreement is limited to making Chapter 5 of the GDPR, relating to data transfers to third countries or international organizations, inapplicable to the UK.
To the contrary, as the UK is no longer part of the Union, the obligation to appoint an EU representative, is still applicable.
What if I process personal data of data subjects located in the UK?
For data transfers from the UK to the EEA, the EDPB recommends to regularly consulting the UK Government’s website and the ICO’s website.
At this moment, controllers or processors located outside of the UK with no offices, branches or other establishments in the UK, but offering goods or services to individuals in the UK or monitoring the behaviour of individuals in the UK, have to appoint a GDPR-representative in the EU.
Our advice:
The EU representative cannot be confounded with the DPO. Their roles are very different: The DPO does not represent the company, he acts independently. His role is to ensure the compliance with the GDPR. While the EU representative represents the company, it is not independent.
Consequently, even if, as a UK entity, you do not have to designate a representative, maybe you should designate a DPO.