The Brexit transition period will come to an end on 31 December 2020. Once the United Kingdom (“UK”) officially leaves the European Union (“EU”), the UK will become a third country under the law of the European Union. Under EU law, a third country is a country or territory that is not a member of the EU, and hence not subject to the rights and obligations that arise from being part of the EU. Even if negotiations between the UK and the EU conclude, and applicability of EU law will elapse, UK entities must continue to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as it has been on shored by UK law.
The consensus is that, at least in the short to medium term, there will not be much change to the practical aspects of GDPR compliance. However, as UK entities will be by definition organisations without a permanent establishment in the European Economic Area (the “EEA”, essentially the countries forming the EU, plus three of the four countries that comprise the European Free Trade Association (“EFTA”): Iceland, Liechtenstein and Norway; excluding Switzerland), there might be a need for UK entities to appoint a European representative, as required under article 27 of the GDPR.
To determine whether an entity based in the UK requires a European representative, article 3(2) of the GDPR sets out two conditions:
- if the UK company has no offices or branches in the EEA; and
- it is either monitoring individuals or offering goods or services to these individuals in the EEA.
If the above conditions are applicable, and the UK-based entity intends to continue its activities subject to GDPR in the EEA, after the transition period ends such entity will need to appoint a representative in the EEA.
Under article 27 of the GDPR, this representative will need to:
- be set up in an EU or EEA state where some of the individuals whose personal data are being processed are located;
- be authorised in writing;
- act on the UK entity’s behalf regarding the GDPR compliance; and
- deal with any supervisory authorities or data subjects in this respect.
The representative may be an individual, a company or organisation established in the EEA (e.g. a law firm, consultancy or private company), as established by the Directive 95/46/EC., and must be able to represent the UK entity regarding its obligations under the GDPR.
In practice, the easiest way to appoint a representative may be under a simple service contract. The details of the UK entity’s representative needs to be given to EEA-based individuals whose personal data you are processing. This may be done by including them in the privacy notice given to them or in the upfront information given when collecting their data. It is also paramount that this information is easily accessible to supervisory authorities—for example: by publishing it on the UK entity’s website. The appointment of the representative must be in writing and should set out the terms of the UK entity’s relationship with them. Having a representative does not affect the UK entity’s own responsibility or liability under the EU GDPR.
However, article 27 contains two exemptions. It does not apply if:
- the UK entity is a public authority;
- the data processing is occasional;
- the UK entity is of low risk to the data protection rights of individuals; and
- it does not involve the large-scale use of special category or criminal offence data.
In all other cases, UK entities need to appoint a representative in the EEA.
On the UK side, the government has indicated that after the transition period, a controller or processor located outside the UK will need to appoint a UK representative in order for all non-UK established entities to process data in the UK.
UK entities will need to carefully think about how to process data in the UK and, if applicable, the EU. If a UK entity does not have a base in the EEA, but does process data from the EEA, and if the exemptions provided by article 27 of the GDPR do not apply, the UK entity will need to deal with the burden of appointing a representative.
With the transition period due to conclude by the start of January 2021, this is a good time for companies to prepare for the post-Brexit changes in data regulations.
For more information, and any guidance or advice on GDPR compliance and how to establish a European representative, Cleveland & Co External In-house counselTM, your specialist outsourced legal team, are here to help.