1 January 2021 marks the end of the Brexit transitional period. This is also the date on which a number of key data protection changes take effect. One such change is that UK-based organisations must, in certain circumstances, appoint an EU-based representative to represent them in the EU.
Below we set out and answer the three most common questions regarding appointing an EU representative for data protection purposes.
An EU representative is an individual or organisation which acts as your point of contact for data subjects living in the EU and for EU data protection regulators.
Your representative is responsible for:
Both data controllers and data processors need to consider appointing a European representative if they meet the below criteria.
If you are based in the UK and do not have a branch, office or other establishment in an EU or EEA state, but you either:
then you will need to appoint a European representative unless an exception applies (see below). Remember, you will also need to continue to comply with the EU GDPR in relation to the above processing.
You don’t need to appoint an EU representative if:
Your European representative needs to be based in a country where your data processing activities take place. You only need to appoint one representative for the entirety of the EU. For example, if you offer goods or services to individuals in Germany, France and Italy then you can appoint a European representative in any one of those countries, but you cannot appoint a representative in Spain.
You don’t need to use a specific document to instruct your European representative but the appointment should be documented in writing. You can use a simple services contract which sets out the representative’s responsibilities. If you instruct a professional representative (i.e. an external business which specialises in acting as a representative for a number of organisations) then they should have a standard agreement for you to sign. As with all legal documents, this should be reviewed carefully.
Once you’ve instructed your European representative you should update your privacy notice with their details. You must also make the information easily accessible to EU regulators. Typically the best way to do this is to include the information on your website.
For assistance preparing or reviewing an EU representative agreement, or for further advice on data protection compliance post-Brexit, please contact Ryan Mitchell.
SIGN UP to receive email notification when our dedicated Brexit hub is updated with the current legal position on Brexit and how it may affect your business.