Data Protection – Do you need a representative?
The European General Data Protection Regulation (EU GDPR) has a wide territorial scope. It doesn’t only apply to controllers or processors established in a Member State.
Your organisation will need to comply with the EU GDPR if it is not established in the EU, e.g. if it established in the UK or elsewhere, but processes the personal data of individuals in the EU where the processing is related to
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the EU.
In addition, as well as complying generally with the EU GDPR, there is an obligation to have a GDPR representative established in the EU, if your business is based outside the EU and you do regular business in the EU.
Following Brexit, the UK now has its own data protection regime. The main piece of legislation is a version of the General Data Protection Regulation 2016 which has been amended to reflect the UK’s position following Brexit (the UK GDPR). This must be read with the UK’s Data Protection 2018.
Your organization is obliged to comply with the UK GDPR if it is a controller or processor established outside the UK e.g. in an EU member State or elsewhere, and processes the personal data of individuals in the UK where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.
The UK GDPR also imposes an obligation to have a UK representative on non-UK businesses. Depending on the type and regularity of the processing, a non-UK established controller or processor is obliged to designate in writing a representative in the UK.
How Spencer West can help
Our data protection experts can advise you on whether you are required to have an EU and/or a UK Representative.
As a law firm based in the UK with an EU office in Belgium, we also offer our clients both an EU and a UK Representative service. The services are provided by highly experienced data protection lawyers. The services are provided on a fixed annual fee basis which is determined by the size and complexity of the client’s data processing. Unlike some others offering EU/UK Representative services, our advice is legally privileged.
For more information please contact our experts below.
Article written by:
Jan Cant is a Partner Solicitor at Spencer West. He specialises in Corporate Law, M&A, Contracting, IT & Telecoms, PPP, GDPR, International Institutions, Construction and Real Estate.
Partner – Corporate Law, M&A, Contracting, IT & Telecoms, PPP, GDPR, International Institutions, Construction and Real Estate
Mark Gleeson is a Partner Barrister at Spencer West. He specialises in Data Protection, GDPR, Information Governance, Data Breach, Litigation, Regulatory Investigations, Cross-Border, Clinical & Medicines Law, Privacy, Public Law, Freedom of Information, Environment Information Regulation, Data Monetisation & Big Data.
Partner – Data Protection, Cyber Security and Information Law
+44 (0)7768 464213
UK-EU break up to make up roundtable series
Please join us for an informal conversation about immigration issues affecting EU nationals and their employers in the UK....
Webinar | Immigration | Post-Brexit
Sponsorship Forever – An update on the new Skilled Worker and Intra-Company Transfer routes
The new rules for Skilled Workers and Intra Company Transfer Workers have been in place since 1 December 2020. Join us as we...
Webinar | Immigration | Post-Brexit