When are you obligated to appoint a GDPR Representative (especially for UK firms post Brexit)?
Article 27 of the GDPR requires organizations established in the UK (and all other countries outside the EU) that process personal data of residents from the European Economic Area (EEA) to appoint a Representative that:
- Acts as the point of contact for EEA residents to your company (if requested in their local language);
- Acts as a liaison between Data Protection Supervisory Authorities and your company, and enables supervisory authorities to pursue enforcement actions.
The EEA encompasses all countries of the European Union, Norway, Iceland, and Liechtenstein
So, if you don’t have an establishment in the EEA but sell goods or services to EEA residents; if you process personal data of EEA residents on behalf of companies (inside or outside the EEA) or if you, for any other means, process personal data of EEA residents, you need to appoint a Representative.
This is also required if you don’t explicitly target EEA residents with your services but still process personal data of them.
GDPR Article 27:
When doing business in the EU, a GDPR representative can be obligatory.
Don’t wait for a penalty.
Why not organize it right now.
Contact us for more information on:
+31 88 8483 100
Why do you need to appoint a GDPR Representative now?
Brexit is a fact, and the UK has effectively left the European Union.
Although the UK is now “a third country” under the EU’s GDPR, a provision in the agreement signed by the UK and EU in December 2020 secures an interim period of six months of unrestricted data flow between the two blocs. However, an EU GDPR representative is mandatory right now, even during the six months transition period.
Compliance with the EU’s GDPR remains an obligation for any website, company or organization who process personal data of EU citizens.
For companies located in the UK, many activities are still within the scope of the GDPR after Brexit. This is the case when:
- The company offers goods or services to EU citizens, regardless of financial transactions taking place;
UK companies that remain subject to the GDPR, should in most cases appoint an EU GDPR representative. An adequacy decision will not change this.
Small and medium sized enterprises can be exempt from this obligation if they only process personal data occasionally, don’t process much sensitive data and the processing is unlikely to result in a risk for EU residents. However, this exemption does not often apply.
This Representative obligation is also applicable for companies located in other non-European countries and offering goods or services to EU citizens.
The extension of the GDPR transition period doesn’t mean you can sit and wait.
Most of our clients want to focus on their business now Brexit has kicked in and need all their attention to get it going again at the pace they are used to let aside to grow their business to mainland Europe. We observe extra burden with contracts, border controls, licenses and taxes.
Do you recognize this?
A GDPR representative should be the least of your worries. Arrange it now and start the service to make sure you comply with EU data protection laws.
What are the GDPR requirements of a representative.
The Representative is required to:
- Co-operate with the supervisory authorities;
- Facilitate communication between data subjects and your organization;
- Be readily accessible to data subjects in all relevant member states (when necessary in their own local language);
- Maintain a Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.
Supervisory authorities can pursue enforcement actions through the Representative for noncompliance of the organisation they represent
- Is appointed to represent data controllers or processors that are not established in the EU
- Must be established in one of the member states where the controller’s or processor’s data subjects reside
Your representative should work with you to:
Set up your GDPR Representation
- Understand your data flows;
- Review previous gap analysis and impact assessments;
- Be aware of any (previous) breaches or non-compliance;
- Establish a copy of your Records of Processing Activities (RoPA).
Provide ongoing GDPR Representation
- Maintain and an up-to-date copy of your RoPA on an ongoing basis;
- Translate and respond to queries from European data protection authorities and residents;
- Advice on reporting and communication of personal data breaches;
- Log breaches reported to directly to the representative;
- Receive and log data subject rights requests and advise on suitable responses;
- On request, advise on data protection regulatory issues that impact your organisation.
Our dedicated GDPR team
Our team consists of business analysts, legal, IT and GDPR professionals. Our skillset includes a high level of GDPR expertise, excellent communication skills and a can-do mentality, all of which we dedicate to your enterprise. We understand business needs and interests, so we appreciate the trade-off of GDPR accountability.
If you also need support for your DPO while conducting DPIAs or external audits, initiating awareness campaigns or any other relevant GDPR tasks, please do not hesitate to contact us.
News and blog articles about GDPR topics and interesting developments.
If you have questions about our GDPR Representative role for these companies, contact us at email@example.com
P.C.W. Cuijpers MSc
Vivenics Managing Director
IT consultant, Data Integrity expert
R. Verhoeven, LLM/MSc
IAPP CIPP/E, certified privacy professional
Privacy professional, business analyst
IAPP CIPP/T and Tulser GDPR graduate
C.N. de Vink, BSc
IT expert, privacy professional
IAPP CIPP/E, Security, Agile, Kanban, Prince II
J.C.M. Hoogzaad, BSc
J.H.T.M. Mommersteeg, BSc
Data Quality expert