The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Does this section apply to us?

This section applies if you are a controller or processor that is located outside of the UK:

  • with no offices, branches or other establishments in the UK; but
  • you are offering goods or services to individuals in the UK or monitoring the behaviour of individuals in the UK.

How can we prepare?

If you do not have any UK offices, branches or other establishments, you should consider whether you are processing personal data of individuals in the UK that relates to either:

  • offering goods or services to individuals in the UK; or
  • monitoring the behaviour of individuals in the UK.

If you are carrying out such processing, and intend to continue after the end of the transition period, you will need to consider whether you must appoint a UK representative.

You will need to put in place an appropriate written mandate for that representative to act on your behalf. Information about the representative should be provided to data subjects, for example, in your privacy notice. It should also be made easily accessible to supervisory authorities, for example by publishing it on your website.

What are the rules?

If you are based outside of the UK and do not have a branch, office or other establishment in the UK, but you either:

  • offer goods or services to individuals in the UK; or
  • monitor the behaviour of individuals in the UK,

then you will need to comply with the UK GDPR regarding this processing after the end of the transition period.

As you will not have a base inside the UK after the transition period ends, the UK GDPR will require you to appoint a representative in the UK.

You will need to authorise the representative, in writing, to act on your behalf regarding your UK GDPR compliance, and to deal with the ICO and data subjects in this respect.

Your representative may be an individual, or a company or organisation established in the UK, and must be able to represent you regarding your obligations under the UK GDPR (e.g. a law firm, consultancy or private company). In practice the easiest way to appoint a representative may be under a simple service contract.

You should give details of your representative to UK-based individuals whose personal data you are processing. This may be done by including them in your privacy notice or in the upfront information you give them when you collect their data. You must also make it easily accessible to supervisory authorities – for example by publishing it on your website.

Your appointment of your representative must be in writing and should set out the terms of your relationship with them. Having a representative will not affect your own responsibility or liability under the UK GDPR.

Example

An EEA based sales firm does not have offices in the UK, but has a regular client base in the UK. The firm must appoint a UK representative to act as its direct contact for data subjects and the ICO.

The firm will have to include the name of its UK representative in the information it provides to the data subjects, for example in its privacy notice. It need not inform the ICO of this, but the details should be easily accessible to the ICO.

You do not need to appoint a representative if either:

  • you are a public authority; or
  • your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

If you are not sure about any aspect of appointing a representative, you may wish to take independent legal advice.