What Is a UK Representative and Why Do You Need One?

Natacha has served in a number senior positions at the Foreign Office, including as Deputy Ambassador for China and Director of Economic Diplomacy and Emerging Powers. She also worked on global trade policy and international issues related to development.

Businesses that are not located in the UK are required to adhere to UK privacy legislation. They must appoint a representative in the UK who will be their point-of-contact for individuals who have data and the ICO.

What is a UK representative?

The UK Representative avon representative near me [Tujuan.Grogol.Us] is a person, business or organisation that has been mandated by a controller or processor of data to act on behalf of the controller or processor Representative avon on all matters related to GDPR compliance. They will be the primary point of contact for queries from individuals exercising rights or requests from supervisory authorities. They could also be subject to national laws that have been put in place due to the GDPR's extraterritorial reach (see the UK case Rondon against LexisNexis Risk Solutions).

The appointment of a Representative is required under Article 27 of the EU GDPR, and the UK equivalent section 3(2) of the Data Protection Act 2018. The requirement applies to any entity that does not have a separate establishment within the United Kingdom and that offers services or goods to or monitors the behavior of people who reside in the United Kingdom, or that handles personal data of these individuals. The representative must be able to show evidence of their identity and that they are competent in representing the data controller or processor in respect to the UK GDPR's requirements.

In addition to acting as a platform for individuals to exercise their rights under GDPR as well as a means for individuals to exercise their rights under GDPR, the representative must also able to communicate with authorities in the event of a breach. This is because the Representative needs to send a notice to the supervisory authority who appointed them, regardless of whether the breach impacts the data subject across multiple jurisdictions.

It is crucial that the representative you choose has experience working with both European and UK authorities for data protection. It is also desirable for them to be proficient in local languages since they are likely to receive contact from individuals and agencies in the countries they work in.

Although the EDPB states that the Representative will be held accountable in the event of non-compliance, the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has established that a Representative cannot be sued by a person for the data controller's inability to comply with the UK GDPR. The court ruled that the Representative was not in direct connection with the data processing activities of the represented entity.

Who needs to appoint a UK Representative?

The EU GDPR stipulates that businesses from outside the EU with no office or branch in the EU, that target products or services to European citizens, must designate a Representative. This is in addition the requirements of national laws on data protection. A representative's job is to be a local point-of-contact for supervisory bodies and individuals regarding GDPR concerns.

The UK has an identical requirement to that of the EU that is described in Article 27 of UK-GDPR. Similar to the EU requirement the threshold is not high and any business that offers products or services to, or monitors the conduct of data subjects in the UK must designate an UK representative.

According to the UK-GDPR a representative must be approved in writing by the data subject or the [British Information Commissioner's Office] "to be contacted, further or alternately, on behalf the controller or processor". They cannot be personally accountable for compliance with the GDPR. However, they must cooperate with supervisory authorities in official proceedings and receive communications from data subjects who exercise their rights (access request, right to be forgotten, etc. ).

Representatives should be located in the member state of the European Union in which the individuals whose personal information is processed reside. In the majority of cases, this is not an easy decision to make. A careful analysis of the legal and business context is required to determine the location(s) most suitable for an organization. We provide an unrivalled service to assist companies in assessing their requirements and deciding on the most appropriate option for them.

It is also recommended that representatives have previous experience in dealing with supervisory authorities as well as handling data subject inquiries. Local language skills can also be important, as the job could involve dealing with requests from supervisory authority or data subjects in multiple countries throughout Europe.

The identity of the representative must be made known to the individuals who are the data subjects via privacy policies and the information given prior to collecting data (see article 13 in the UK-GDPR). The UK Representative's contact information should also be published on your website, giving easy access for supervisory authorities to get in touch with them.

When do you need to designate a UK Representative?

If your company is located outside the UK provides products or services to people in the UK, or monitors their behaviour and conducts surveillance, you may have to designate an UK Representative. The UK's applied EU GDPR regime is applicable to non-UK established companies which are operating in the UK. It has the same extraterritorial scope as EU GDPR, with limited exceptions. You can take our no-cost self-assessment to see whether you have this obligation.

A Representative is mandated by the appointing entity under an agreement to act on behalf of that entity with regard to a number of its obligations under UK and EU GDPR if applicable. In the UK it would involve facilitating communication between the appointing entity and the Information Commissioner's Office or any data subjects affected in the UK. A Representative could be an individual or a company with a UK base. The appointing body must inform the data subjects that the Representative is processing their personal information and ensure that the identity of the individual or company is readily available to supervisory authorities.

The appointing entity must also provide the contact information of its representative to the ICO and all data subjects affected in the UK in accordance with Article 13 as well as 14 of the UK GDPR. It is essential to clarify that the representative's job is distinct from the role of the role of a Data Protection Officer (DPO), which requires a degree of independence and autonomy that is not available to the role of a representative.

If you need to appoint a UK representative it is recommended to do so as fast as possible. This is because the need for this comes immediately after Brexit (if there is an 'hard' or 'no deal' Brexit) or after an implementation period (if there is a'soft' or "with deal" Brexit). There is no grace time.

What are the requirements to become a UK representative?

According to UK laws on data protection, a representative is a person or a company who is "designated" in writing by an entity which does not have a physical presence in the UK but is subject to the law. The UK representative must be capable of representing the entity in relation to its legal obligations and their contact information should be made readily available to those in the UK whose personal data is being processed by the non-UK company.

The person who is the UK Representative must be a senior employee of the foreign business or media organisation and have been recruited and appointed as an employee outside the UK by that business or media organisation. The person applying for the visa must intend to be employed full-time as the UK Representative for the media or business company, and are not allowed to engage in any other business activities in the UK.

The visa applicant also needs to prove that they have the expertise and experience needed to fulfill their duties as UK representative, which entails acting as the local contact point for individuals who are data subjects as well as UK data protection authorities. This is to ensure that the UK Representative has sufficient knowledge of and expertise in the UK data protection laws and is able to respond to requests from individuals exercising their rights under the law in addition to any other inquiries or requests received from data protection authorities.

As the Brexit process continues, it is likely that the UK laws on data protection will evolve over time. At present, it is expected that non-UK businesses who do business in the UK and handle personal data of individuals within the UK will need to designate an UK Representative.

This is because article 27 of the UK's GDPR that was adopted as a UK national law, requires companies without any presence in the UK to nominate the position of a UK representative for data protection. If you are unsure of whether you are required to appoint an UK representative for data protection, it is recommended that you consult an experienced legal advisor.