Appointment of a European GDPR representative - "The Known Unknown"
How prepared UK businesses are for Brexit remains to be seen, but anecdotal evidence suggests that many are not looking at solutions until the problem is better understood. Brexit still has, in the (now infamous) words of Donald Rumsfeld, “knowns… known unknowns… [and] unknown unknowns”.
One key aspect of Brexit preparedness for UK businesses will be to ensure that GDPR compliant transfers and processing of personal data to and from the EEA can continue after the 31 October 2019.
Many businesses based outside of the EEA will already be familiar with the obligation, under article 27 of GDPR, to designate a representative if they control or process the personal data of European data subjects. This article looks at how these obligations will apply to the UK in the event of “no deal” Brexit as well as discussing some basic steps businesses may want to take.
When would a UK business need to appoint a European GDPR representative?
1. If your business does not have an “establishment” in the EU or EEA:
Recital 22 of the GDPR indicates that “an establishment implies the effective and real exercise of activities through stable arrangements”. Putting it plainly, this is most likely to be a subsidiary or branch office based in an EEA member state, but could also include the presence of a sole employee or agent (provided that it is a stable arrangement and the economic activities being undertaken are real). So, while the definition of “establishment” is broad, determining whether a UK company has an establishment in the EEA is likely to turn on each business’ specific circumstances. What is clear is that a UK company will not have an establishment simply by making its website accessible in the EEA.
2. If your business is “targeting” individuals in the EU or EEA:
Targeting is defined under article 3(2) of GDPR as processing personal data of EEA data subjects where those processing activities relate to: “(a) the offering of goods and services, irrespective of whether a payment is required; or (b) the monitoring of their behaviour… within the Union”.
The mere accessibility of a controller’s or processor’s website within the EU will not constitute offering goods and services. But where a UK based business: (i) specifically makes reference to a member state when offering its goods and services; or (ii) launches a marketing campaign in a member state; or (iii) pays for search engine optimisation in a member state; or (iv) uses a top level domain name associated with that member state; or (v) uses European languages, allowing for payment in Euros and delivery of goods or services in that member state; then these factors are likely to constitute targeting for such a purpose.
Therefore, if your business does not have a physical presence in the EEA and you are intentionally processing the personal data of data subjects in the EEA then: (i) the processing of that data will be subject to GDPR; and (ii) under article 27(1) you will need to appoint a representative within the EEA.
Appointment of a GDPR representative:
Recital 80 of GDPR states that “the representative should be explicitly designated by a written mandate of the controller or processor to act on its behalf with regard to its obligations under this Regulation”. In practice, this means that UK based businesses will need to enter into a services contract to govern relations and the obligations between it and its European representative.
The representative may be a natural or legal person and therefore, the role of representative can be assumed by a wide range of entities – including law firms, auditors and consultancies. When the role of the representative is provided by an organisation it is best practice that a single individual be specified as the lead contact for each business, and this should be set out in the services contract. It is also recommended that if a significant proportion of the personal data processed by a UK business relates to the data subjects of a particular member state, then the representative should be established in the same member state, so as to avoid language and time zone barriers.
There is no obligation on the business nor the appointed representative to notify the Information Commissioner’s Office (“ICO”) or any other supervisory authority of the appointment. However to ensure that compliance with the transparency obligations, under articles 13(1)(a) and 14(1)(a) of GDPR, controllers must provide data subjects with information as to the identity of their representative within the EEA at the time of data collection. Accordingly, UK based businesses appointing European representatives are likely to have to update their privacy policies, and notify their existing customers of such changes.
Responsibilities of the GDPR representative:
A representative is required to “…perform according to the mandate received from the controller or processor, including cooperating with competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation”. In other words, the representative is responsible for facilitating any enquiry, request or investigation made by a data subject or a European supervisory authority on behalf of the UK-based business. Therefore, UK based businesses should be assessing whether a potential representative has the skills, experience and personnel available to timeously communicate with data subjects and supervisory authorities.
The representative is under a joint obligation to maintain a record of the processing activities under the responsibility of the UK based business, as required by article 30 of GDPR. Accordingly, the UK based business must provide its representative accurate and updated information, which in turn the representative must maintain and make available to supervisory authorities.
It is important to note that the appointment of a representative does not shift the responsibility for compliance with GDPR and data subject rights from UK based businesses on to representatives. However, the concept of a representative was introduced into the GDPR with the aim of allowing supervisory authorities to take enforcement action against representatives on the same basis as controllers and processors. Accordingly, UK based businesses should carefully review the terms of the services contract to ensure that liability is fairly apportioned between the parties and that the representative has sufficient insurance to cover the potential fines and penalties it may incur. Both of these are likely to prove challenging in the current climate, particularly given the recent notices of intention to fine announced by the ICO against British Airways and the Marriot Hotels Group.
The appointment of a representative is also important for non-EEA businesses who have an establishment in the UK for the purpose of processing the personal data of European data subjects. In the event of a “no-deal” Brexit they too will have to appoint a suitable representative.
It is also understood that after Brexit, the UK government will require any controller or processor which does not have an establishment in the UK to appoint a representative to ensure compliance with the UK’s own version of GDPR. This therefore presents opportunities to UK businesses ready and willing to act as appointed representatives.
So, while the date and terms of Brexit continue to be “unknowns”, the process for appointing a representative and ensuring ongoing compliance with GDPR is at least now one of the “knowns”.
3rd December 2020
The European Data Protection Board has just published overhauled draft Standard Contractual Clauses.
12th November 2020
The EDPB has issued its recommendations on measures that organisations can adopt for compliance.
13th August 2020
Are your passwords strong enough under GDPR?