In some circumstances, you may want a representative to act on your behalf when exercising your rights under data protection law. For example:
- you may want a solicitor or organisation with data protection knowhow to act for you, or
- you may simply feel more comfortable having another person deal with organisations for you.
The GDPR gives you the right to appoint a not-for-profit body active in the data protection field to act for you when complaining to the ICO or taking a data protection concern to court. A court can also order that compensation is paid to such an organisation on your behalf, or to any other person the court thinks fit.
Outside data protection law, there are other ways in which an individual can act on another person’s behalf. These include power of attorney and the rights of those with parental responsibility to act for a child.
- Who can make a complaint to the ICO on my behalf?
- Can I ask someone to deal with an organisation on my behalf?
- Can I appoint a representative to help me take my case to court?
You can ask someone to complain to the ICO on your behalf about how an organisation has used your data. This does not have to be a not-for-profit organisation; we are happy to accept such complaints from any appropriate person or organisation as long as they can give us proof that:
- you have specifically authorised them to complain to the ICO for you (such as a letter giving them your authority to do so), or
- they have legal authority to make that complaint for you (e.g. power of attorney).
You may want to appoint someone to communicate for you with an organisation that is processing your personal data. This could be to:
- exercise your rights under data protection law – for example making a request for, and receiving copies of, your personal data, or
- complain for you about how your personal data has been used or handled.
The GDPR does not give you any specific rights to appoint someone to act for you when dealing with an organisation that is processing your personal data. However, in most circumstances we would expect organisations to allow you to exercise your data protection rights, or raise data protection concerns, through a properly appointed representative if you want this.
Before dealing with a request or complaint on your behalf by a representative, an organisation is likely to ask your representative for:
- proof that you have given your representative authority to exercise your data protection rights, or make a complaint, for you (such as a letter giving them your authority), and
- proof of your identity.
So you should ensure you can give your representative these pieces of information.
It will ultimately be up to the organisation to decide what information it needs to prove that your representative has your authority, and to confirm your identity, as long as whatever it asks for is reasonable in the circumstances.
Organisations should, of course, also respect any other lawful authority that a representative has to act for you (such as power of attorney), as long as your representative can prove they have such authority.
As explained above, the GDPR gives you the right to appoint certain types of not-for-profit organisation to help you take your data protection concern to court.
Outside data protection law, other rules allow you to appoint a representative in court proceedings. Who this can be depends on the circumstances. For example, specific rules say who can bring a claim on a child’s behalf. So we advise you to seek legal advice on this before appointing a representative to take your case to court.