Natacha has held a number of senior roles in the Foreign Office including Deputy Ambassador to China and Director of Economic diplomacy and Emerging Powers. She also has worked on global trade policy and international issues.
Businesses established outside of the UK must adhere to UK privacy laws. They must appoint a sales representative jobs in the UK who will serve as their point-of-contact for individuals who have data and the ICO.
What is an UK Representative?
The UK Representative is an individual, company or other entity that has been formally authorised by the controller or processor of data to act on behalf of the controller or processor in all matters around GDPR compliance. They will be the main contact point for any queries from individuals who exercise their rights or requests from supervisory authorities. They could also be subjected to national requirements that have been put in place because of the GDPR's extraterritorial reach (see the UK case Rondon against LexisNexis Risk Solutions).
The appointment of Representatives is required under Article 27 of the EU GDPR, as well as the UK equivalent, Section 3(2) of the Data Protection Act 2018. This requirement applies to all organizations that do not have a permanent presence in the United Kingdom but offer goods or services or observe the actions of those who reside there or who process personal data. The Representative must be able evidence of their identity and that they are able of representing the controller or processor of data in respect to the UK GDPR's requirements.
The Representative should also be able communicate with authorities if there is a breach. The representative must inform the supervisory authority who appointed them, regardless of whether or not the breach affects individuals in multiple jurisdictions.
It is recommended that your representative has worked with both European and UK-based data protection authorities. It is also recommended that they have local language skills because they are likely to receive contact from both individuals and data protection authorities in the countries where they operate.
While the EDPB states that the Representative should be held accountable in the event of non-compliance, the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has confirmed that a Representative cannot be sued by a person for the data controller's apparent failure to adhere to the UK GDPR. This is because, according to the court the Representative has no direct connection with the data processing activities carried out by the entity that is represented.
Who should be appointed a UK Representative?
The EU GDPR stipulates that non-EU businesses with no office or branch in the EU, that target goods or services for European citizens, must designate a Representative. This is in addition the requirements of national data protection laws. The role of a representative is to be a local point-of-contact for individuals and supervisory bodies in relation to GDPR issues.
The UK has a similar requirement to the EU as laid out in Article 27 of UK-GDPR. Similar to the EU requirement, the threshold is low and any business that offers goods or local Avon representative services to, or monitors the behavior of data subjects in the UK must choose a UK Representative.
In accordance with the UK-GDPR, a representative must be authorised in writing by the data subjects or the [British Information Commissioner's Office] "to be contacted, in addition or alternatively, on behalf the controller or processor". They are not permitted to be personally accountable for compliance with the GDPR. However, they must cooperate with supervisory authorities in formal proceedings and also receive communications from data subjects exercising their rights (access request, right to be forgotten, etc. ).
Representatives should be located in the member state of the European Union in which the individuals whose personal data are processed are residents. Most of the time, this is not a straightforward decision to make, and a careful analysis of the legal and business context is required to determine the location(s) most suitable for an organisation. We offer a dedicated service that assists businesses to assess their needs and choose the most suitable representative choice.
It is also advisable that the representative has experience working with supervisory authorities and dealing with requests from data subjects. Local language skills are also frequently important as the role is likely to involve dealing with inquiries from data subjects or supervisory authorities in multiple countries across Europe.
The identity of the representative must be disclosed to data subjects through the privacy policies and other information that is provided before collecting data (see article 13 in the UK-GDPR). The UK Representative's contact information should also be made available on your website, allowing an easy way for supervisory authorities to connect with them.
When do you need to appoint an UK Representative?
If your company is located outside the UK and offers goods or services to the UK or monitors the behavior of individuals, you could be required to designate a UK Representative. The UK's Applied GDPR regime is applicable to established non-UK entities that are conducting business in the UK and has the same extraterritorial reach as EU GDPR (with certain exceptions). Take our free self-assessment and see if you are subject to this obligation.
A representative is authorised by the appointing entity in a service contract to represent the entity in relation to a number of its obligations under UK and EU GDPR, if applicable. In the UK this would typically involve facilitating communications between the appointing entity and the Information Commissioner's Office or any individuals affected by the UK. Representatives can be an individual or a business that is established in the UK. The appointing entity must make it clear to the data subjects that their personal information will be processed by the Representative, and the identity of the person or company should be readily available to supervisory authorities.
In accordance with Articles 13 and 14 of the UK GDPR, the appointing entity is also required to provide the contact details of its representative to the ICO as well as to people who have data in the UK. It is essential to clarify that a representative's role is different from that of a Data Protection Officer (DPO) which requires a level of independence and autonomy that is not available to representatives.
If you are required to designate a UK representative it is recommended to do so as quickly as possible. This is because the need for this comes immediately after Brexit (if there is either a 'hard' or "no deal' Brexit) or after an implementation period (if there is a'soft' or 'with deal' Brexit). There is no grace period.
What are the requirements for the designation of a UK Representative?
Under the UK laws on data protection (and specifically article 27 of the UK GDPR) Representatives are an individual or business that is "designated in writing" by an entity that has no presence in the UK but is subject to the rules of the law. The UK representative has to be capable of representing the entity with regard to its legal obligations, and their contact details must be readily accessible to individuals who reside in the UK whose personal data is being processed by the non-UK company.
The UK Representative must be an overseas senior employee of a media or business organization and have been hired and employed as an employee of the media or business organization outside of the UK. The visa applicant must intend to serve as the UK representative for the media or business organisation full-time and not engage in any other business activities within the UK.
The applicant for visas also has to prove that they have the expertise and experience necessary to fulfill their role as UK representative, which involves acting as a local avon for representatives representative - that guy - point of contact for individuals who are data subjects as well as UK data protection authorities. The UK Representative must have the knowledge and understanding of UK laws regarding data protection to be competent to respond to inquiries and requests from data protection authorities and individuals exercising their rights.
As the Brexit process continues it is likely that the UK laws on data protection will evolve as time passes. At the moment, however it is expected for companies from outside the UK that conduct business in the UK, and process personal data on individuals in the UK, to appoint UK Representatives.
This is because the UK GDPR mandates that all entities with no UK presence must appoint representatives under article 27 of the UK GDPR which has been incorporated as a law of the nation in the UK. If you're not sure whether you require a UK data protection rep it is advised to consult a qualified legal professional.
