Do I need to appoint an EU representative for data subjects living in the EU?
Do I need to appoint an EU representative for data subjects living in the EU?
1 January 2021 marks the end of the Brexit transitional period. This is also the date on which a number of key data protection changes take effect. One such change is that UK-based organisations must, in certain circumstances, appoint an EU-based representative to represent them in the EU.
3 most common questions on appointing an EU representative
Below we set out and answer the three most common questions regarding appointing an EU representative for data protection purposes.
What is an EU representative?
An EU representative is an individual or organisation which acts as your point of contact for data subjects living in the EU and for EU data protection regulators.
Your representative is responsible for:
- Facilitating communication with your data subjects to ensure they can effectively exercise their data protection rights. For example, by passing on a data subject’s subject access request to you. The representative is not directly responsible for acting upon the data subject’s request. That is still your responsibility.
- Maintaining your record of processing activities. This is a joint responsibility between your representative and you. You remain primarily responsible for the content and updating of your record of processing activities and you must give your representative up to date information. Your representative is responsible for keeping their copy up to date based on the updates you provide.
- Receiving communications from EU supervising authorities (i.e. data protection regulators). Local regulators can contact your European representative directly to discuss European data protection matters. Your representative will forward these communications on to you and is responsible for replying on your behalf in accordance with your instructions.
Do I need to appoint a European representative?
Both data controllers and data processors need to consider appointing a European representative if they meet the below criteria.
If you are based in the UK and do not have a branch, office or other establishment in an EU or EEA state, but you either:
- offer goods or services to individuals in the EEA; or
- monitor the behaviour of individuals in the EEA,
then you will need to appoint a European representative unless an exception applies (see below). Remember, you will also need to continue to comply with the EU GDPR in relation to the above processing.
You don’t need to appoint an EU representative if:
- you are a public authority; or
- your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data. Please be aware that the meaning of ‘occasional’ is interpreted very narrowly. We recommend that you take advice before relying on this exception.
How do I instruct a European representative?
Your European representative needs to be based in a country where your data processing activities take place. You only need to appoint one representative for the entirety of the EU. For example, if you offer goods or services to individuals in Germany, France and Italy then you can appoint a European representative in any one of those countries, but you cannot appoint a representative in Spain.
You don’t need to use a specific document to instruct your European representative but the appointment should be documented in writing. You can use a simple services contract which sets out the representative’s responsibilities. If you instruct a professional representative (i.e. an external business which specialises in acting as a representative for a number of organisations) then they should have a standard agreement for you to sign. As with all legal documents, this should be reviewed carefully.
Once you’ve instructed your European representative you should update your privacy notice with their details. You must also make the information easily accessible to EU regulators. Typically the best way to do this is to include the information on your website.
For assistance preparing or reviewing an EU representative agreement, or for further advice on data protection compliance post-Brexit, please contact Ryan Mitchell.
SIGN UP to receive email notification when our dedicated Brexit hub is updated with the current legal position on Brexit and how it may affect your business.