Does this section apply to us?

This section applies if you are a UK-based controller or processor:

  • with no offices, branches or other establishments in the EEA; but
  • you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA.

How can we prepare?            

  • If you do not have any EEA offices, branches or other establishments, you should consider whether you are processing personal data of individuals in the EEA that relates to either:
  • offering goods or services to individuals in the EEA; or
  • monitoring the behaviour of individuals in the EEA.
  • If you are carrying out such processing, and intend to continue after exit date, you will need to consider whether you must appoint a European representative.
  • You will need to consider in which EU or EEA state your representative will be based and put in place an appropriate written mandate for that representative to act on your behalf. Information about the representative should be provided to data subjects, for example, in your privacy notice. It should also be made easily accessible to supervisory authorities, for example by publishing it on your website.

What are the rules?

If you are based in the UK and do not have a branch, office or other establishment in any other EU or EEA state, but you either:

  • offer goods or services to individuals in the EEA; or
  • monitor the behaviour of individuals in the EEA,

then you will still need to comply with the EU GDPR regarding this processing even after Brexit.

As you will not have a base inside the EEA after exit date, the EU GDPR requires you to appoint a representative in the EEA. This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located.  

You will need to authorise the representative, in writing, to act on your behalf regarding your EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.

Your representative may be an individual, or a company or organisation established in the EEA, and must be able to represent you regarding your obligations under the EU GDPR (e.g. a law firm, consultancy or private company). In practice the easiest way to appoint a representative may be under a simple service contract.

You should give details of your representative to EEA-based individuals whose personal data you are processing. This may be done by including them in your privacy notice or in the upfront information you give them when you collect their data. You must also make it easily accessible to supervisory authorities – for example by publishing it on your website.

Your appointment of your representative must be in writing and should set out the terms of your relationship with them. Having a representative does not affect your own responsibility or liability under the EU GDPR.

Example

A UK law firm does not have offices in other EEA countries, but has a regular client base in Sweden and Norway (only). The firm must appoint a European representative to act as its direct contact for data subjects and EU and EEA supervisory authorities. This European representative may be based in Sweden or Norway, but not any other EU or EEA member state.

The firm will have to include the name of its European representative in the information it provides to the data subjects, for example in its privacy notice. It need not inform the supervisory authorities in Sweden or Norway, or indeed the ICO, of this, but the details should be easily accessible to those supervisory authorities.

You do not need to appoint a representative if either:

  • you are a public authority; or
  • your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

The EDPB has published guidelines on territorial scope which are out for consultation. These contain more guidance on appointing a representative. The EDPB’s view is that supervisory authorities are able to initiate enforcement action (including fines) against a representative in the same way as they could against the controller or processor that appointed them.

The UK government intends that after Brexit, the UK version of the GDPR will say that a controller or processor located outside the UK – but which must still comply with the UK GDPR – must appoint a UK representative.