Natacha has held a number senior positions at the Foreign Office, including as the Deputy Ambassador for China and Director for Economic Diplomacy and Emerging Powers. She has also worked in global trade policy and international issues.
Businesses located outside the UK are bound by UK privacy legislation. They must appoint a representative in the UK who will serve as their point of contact for people who are data subjects and ICO.
What is become a avon representative UK representative?
The UK Representative is a person, business or organization that has been mandated by a controller or processor of data to act in their behalf on all matters relating to GDPR compliance. They will be the main point of contact for enquiries from data subjects exercising their rights, or requests from supervisory authorities. They may also be subject to national requirements which have been implemented as a result of the GDPR's extraterritorial scope (see the UK case Rondon v LexisNexis Risk Solutions).
The appointment of Representatives is required under Article 27 of the EU GDPR, and the UK equivalent Section 3(2) of the Data Protection Act 2018. The requirement applies to any organization that does not have its own place of business within the United Kingdom and that offers goods or services or monitors the conduct of individuals located in the United Kingdom, or that processes personal data of such individuals. The Representative must be able proof of their identity as well as that they are capable of representing the data controller or processor in respect to the UK GDPR's obligations.
In addition to acting as a means for individuals to exercise their rights under GDPR as well as a means for individuals to exercise their rights under GDPR, the representative must also able to communicate with authorities in the event of a breach. This is because the Representative needs to submit a notification to the supervisory authority who appointed them, regardless of whether the breach impacts the data subject across different jurisdictions.
It is recommended that your chosen Representative has experience working with both European and UK-based authorities for data protection. It is also recommended for them to speak a local language since they are likely to receive contacts from individuals and agencies in the countries they operate in.
While the EDPB states that the Representative should be held accountable in the event of non-compliance, the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has confirmed that a Representative can't be sued by an individual for the alleged failure to comply with the UK GDPR. This is because according to the court, the Representative has no direct connection with the processing of data by the entity that is represented.
Who is required to appoint the UK Representative?
To be in compliance with the EU GDPR, businesses outside of the EU who are aiming their goods or services for European citizens, but do not have an office, branch, or establishment in the EU must designate an EU Representative. This is in addition the requirements of national laws on data protection. The role of a representative is to serve as a local point-of-contact for supervisory bodies and individuals in relation to GDPR issues.
The UK has an identical requirement to that of the EU, which is outlined in Article 27 of the UK-GDPR. The threshold is the same as that of the EU requirement: any organization offering goods or services in the UK, or monitoring the behaviour of data subjects, must appoint an UK Representative.
Under the UK-GDPR, a Representative must be appointed in writing "to be addressed, in addition or alternatively, addressed on behalf of the controller or processor, by data subjects and the [British Information Commissioner's Office[British Information Commissioner's Office]". They are not permitted to be personally held accountable for compliance with the GDPR. They must, however, cooperate with supervisory authorities during formal proceedings, and also receive notifications from individuals who exercise their rights. ).
Representatives must be located in the Member State of the European Union in which the individuals whose personal information is processed are residents. In most cases this is not an easy decision to make and a thorough analysis of legal and business aspects is required to assess the location(s) most appropriate for an organization. We provide a service to help companies determine their needs and select the most suitable representative choice.
It is also advisable that the representative has experience interacting with both supervisory authorities and handling data subject requests. The ability to communicate in a local language is frequently important as the job will include dealing with inquiries from supervisory authorities or data subjects in multiple countries across Europe.
The identity of the representative should be made clear to the individuals who are data subjects by incorporating their contact information in privacy policies as well as the information given to individuals prior to collecting their personal data (see Article 13 UK-GDPR). Contact information for the UK Representative should be posted on your website so that supervisory authorities are able to easily contact them.
When do you need to nominate an UK Representative?
If your organisation is based outside the UK, offers goods or services to customers within the UK, UK representative or monitors their behaviour it is possible to designate a UK Representative. The UK's Applied EU GDPR regime is applicable to established entities outside the UK that are performing activities in the UK. It has the same extraterritorial scope as EU GDPR, UK Representative but with a few exceptions. Take our free self-assessment and determine if you are legally bound by this obligation.
A Representative is mandated by the entity that appointed them under an agreement to represent that entity with regard to certain of its obligations under UK and EU GDPR as applicable. In the UK the primary purpose of this is to facilitate communication between the party that appointed and the Information Commissioner's Office (ICO) or any affected data subjects in the UK. Representatives can be an individual or a company which is based in the UK. The appointing entity must make it clear to data subjects that their personal information will be processed by the Representative and the identity of that individual or company must be easily accessible to supervisory authorities.
According to Articles 13 and 14 of the UK GDPR the entity that is appointed as the representative is also required to provide the contact information of its representative to the ICO as well as to individuals who are data subjects in the UK. It must be made clear that a representative's role is different from the one of a Data Protection Officer (DPO) that requires a certain degree of independence and autonomy not possible for a representative.
If you need to nominate a UK representative the process should be completed as soon as you can. This is because this obligation is either immediately following Brexit (if it's an "hard" or "no deal" Brexit) or following an implementation period (if it's a "soft" or a "with deal". There is no grace period.
What are the prerequisites to becoming a UK representative?
According to UK data protection laws A representative is a person or a company who is "designated" in writing by a company that has no physical presence in the UK but is subject to the law. The UK representative must be competent to represent the company with regard to its legal obligations, and their contact details must be readily available to those in the UK who have personal information being processed by a non-UK business.
The person who is the UK Representative must be a senior employee of the media or business organisation and has been enlisted and taken on as an employee outside of the UK by that media or business organisation. The visa applicant must plan to serve as the UK representative for the business or media organization full-time, and must not be engaged in other business activities in the UK.
The applicant for visas also has to prove they have the expertise and experience necessary to fulfill their role as UK representative, which includes being a local point of contact with the data subjects and UK authorities for data protection. This is to ensure that the UK Representative is knowledgeable of and expertise in the UK data protection laws and can be able to respond to requests from individuals exercising their rights under the law and any other requests or enquiries received from authorities dealing with data protection.
As the Brexit process continues, it is likely that the UK laws regarding data protection will evolve over time. At the moment, however it is expected of companies from outside the UK that conduct business in the UK and collect personal data of individuals in the UK, to appoint UK representatives.
This is because the UK GDPR stipulates that companies that do not have a UK presence must appoint a representative in accordance with article 27 of the UK GDPR which has been incorporated as a law of the nation in the UK. If you're not sure whether you should designate a UK data protection representative, it is recommended that you consult an experienced legal adviser.
