Does this section apply to us?
You should read this section if you are a UK-based controller or processor:
- without any offices, branches or other establishments in the EEA;
- you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals located in the EEA.
You do not need to read this section if you are a UK-based controller or processor:
- with one or more offices, branches or other establishments in the EEA;
- you do not offer goods or services to individuals in the EEA and you do not monitor the behaviour of individuals located in the EEA.
What are the key points?
If you are based in the UK and do not have a branch, office or other establishment in any other EU or EEA state, but you either:
- offer goods or services to individuals in the EEA; or
- monitor the behaviour of individuals located in the EEA,
then you will still need to comply with the EU GDPR regarding this processing even after the UK leaves the EU.
As you will not be an EEA-based controller or processor after exit date, the EU GDPR requires that you must appoint a representative within the EEA. This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located.
You will need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
Your representative may be an individual, or a company or organisation established in the EEA, and must be able to represent you in respect of your obligations under the EU GDPR (e.g. a law firm, consultancy or private company). In practice the easiest way to appoint a representative may be under a simple service contract.
You should provide EEA-based individuals whose personal data you are processing with the details of your representative. This may be done by including them in your privacy notice or in the upfront information provided to individuals when you collect their data. You must also make it easily accessible to supervisory authorities – for example by publishing it on your website.
Your appointment of your representative must be in writing and should set out the terms of your relationship with them. Having a representative does not affect your own responsibility or liability under the EU GDPR.
A UK law firm does not have offices in other EEA countries, but has a regular client base in Sweden and Norway (only). The firm will be required to appoint a European representative to act as its direct contact for data subjects and EU and EEA supervisory authorities. This European representative may be based in either Sweden or Norway, but not any other EU or EEA member state.
The firm will have to include the name of its European representative in the information it provides to the data subjects, for example in its privacy notice. It is not required to inform the supervisory authorities in either Sweden or Norway, or indeed the ICO, of this, although the details should be easily accessible to those supervisory authorities.
You do not need to appoint a representative if either:
- you are a public authority; or
- your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve special category or criminal offence data on a large scale.
The EDPB has published guidelines on territorial scope which are out for consultation. These contain more guidance on appointing a representative. The view of the EDPB is that supervisory authorities are able to initiate enforcement action (including fines) against a representative in the same way as they could against the controller or processor which appointed them.
The UK government intends that after the UK exits the EU, the UK version of the GDPR will require that a controller or processor located outside of the UK, but which must still comply with the UK GDPR, will be required to appoint a UK representative.
How can we prepare?
- If you do not have any EEA offices, branches or other establishments, you should consider whether you are processing personal data of individuals in the EEA which relates to either:
- offering goods or services to individuals in the EEA; or
- monitoring the behaviour of individuals located in the EEA.
- If you are carrying out such processing, and intend to continue after exit date, you will need to consider whether you must appoint a European representative.
- You will need to consider in which EU or EEA state your representative will be based and put in place an appropriate written mandate for that representative to act on your behalf. Information about the representative should be provided to data subjects, for example, in your privacy notice. It should also be made easily accessible to supervisory authorities, for example, by publishing it on your website.