Natacha has held a number of high-level positions within the Foreign Office including Deputy Ambassador to China and Director for economic diplomacy and Emerging Powers. She has also worked on global trade policy as well as international development issues.
Businesses located outside the UK are bound by UK privacy laws. They must choose a representative avon in the UK who will be their point of contact for data subjects and ICO.
What is what is a UK Representative?
The UK Representative is a person, business or organization that has been authorised by a controller or processor of data to act in their behalf in all matters related to GDPR compliance. They will be the primary contact point for any inquiries from data subjects who exercise their rights or requests from supervisory authorities. They could also be subject to national requirements which have been imposed due to the GDPR's extraterritorial reach (see the UK case Rondon against LexisNexis Risk Solutions).
The appointment of a Representative is required under Article 27 of the EU GDPR, as well as the UK equivalent Section 3(2) of the Data Protection Act 2018. This requirement is applicable to all companies that do not have a permanent establishment in the United Kingdom but offer goods or services or observe the actions of people who are located in the United Kingdom or handle personal data. The Representative must be able to show proof of their identity as well as that they are able of representing the data controller or processor in respect to the UK GDPR's obligations.
In addition to acting as a portal for individuals to exercise their rights under GDPR, the Representative must be in a position to communicate with authorities in the event of an incident. The Representative must notify the supervisory authority that appointed them, regardless of whether or not the breach affects data subjects across multiple jurisdictions.
It is recommended that your Representative has experience working with both European and UK-based data protection authorities. It is also desirable for them to be proficient in local languages since they are likely to receive contacts from individuals and agencies in the countries where they work in.
While the EDPB states that the Representative will be held accountable in the event of non-compliance, the UK court case of Rondon v LexisNexis UK Ltd (2019) EWHC 1427 has confirmed that a Representative cannot be sued by an individual for What is an Avon Representative the alleged failure to comply with the UK GDPR. The court concluded that the Representative was not in direct connection with the processing of data by the represented entity.
Who is required to appoint the UK Representative?
To comply with the EU GDPR, companies outside of the EU who are aiming their goods or services towards European citizens but do not have an office, branch, or establishment in the EU must appoint an EU Representative. This is in addition to requirements from national laws regarding data protection. A representative's job is to serve as a local point-of-contact for supervisory bodies and individuals regarding GDPR-related issues.
The UK has its own version to the EU requirements, as laid out in Article 27 of the UK-GDPR. The threshold is the same as that of the EU requirement: any organization providing goods or services within the UK, or monitoring the conduct of the data subjects, has to appoint an UK representative.
According to the UK-GDPR a representative must be approved in writing by the data subjects or the [British Information Commissioner's Officeto be able "to be contacted, further or alternately, on behalf the controller or processor". They are not permitted to be personally held accountable for compliance with the GDPR. They must, however, cooperate with supervisory authorities in official proceedings, and receive messages from those who exercise their rights. ).
Representatives should be based in the state of the European Union in which the individuals whose personal data is processed reside. In the majority of cases, this isn't an easy choice to make and a thorough analysis of legal and business aspects is required to determine the location(s) most suitable for an organization. We provide a service to help companies assess their needs and choose the most suitable representative choice.
It is also recommended that representatives have previous experience in dealing with supervisory authority as well as dealing with inquiries from data subjects. Language skills in the local area are often of importance as the role is likely to be involving dealing with requests from supervisory authorities or data subject in multiple countries across Europe.
The identity of the Representative should be made clear to the data subjects by including their details in privacy policies and information provided to individuals before collecting their data (see Article 13 of the UK-GDPR). Contact details for the UK Representative should be posted on your website so that supervisory authorities are able to easily reach them.
When do you need to appoint an UK Representative?
If your business is based outside of the UK, offers goods or services to customers in the UK or monitors their behavior and conducts surveillance, you may have to appoint the position of a UK representative. The Applied GDPR regime in the UK is applicable to established non-UK entities that conduct business in the UK and has the same extraterritorial reach as EU GDPR (with certain exceptions). You can take our no-cost self-assessment to determine if you are required to comply with this requirement.
A Representative is appointed by the party appointing under the terms of a contract of service. The representative is appointed to act for that party in relation to specific obligations under the UK GDPR and EU GDPR, if applicable. In the UK the primary goal of this would be to facilitate communication between the appointing entity and the Information Commissioner's Office (ICO) or any data subjects affected in the UK. A Representative could be an individual or a company based in the UK. The appointing body must inform the data subjects that the representative will be processing their personal data and that the identity of the individual or business is readily accessible to supervisory authorities.
According to Articles 13 and 14 of the UK GDPR the entity that is appointed as the representative is also required to provide the contact information of its representative to the ICO and the data subjects in the UK. It is essential to clarify that the representative's job is different from the one of a Data Protection Officer (DPO) that requires a certain degree of independence and autonomy not possible for the role of a representative.
If you need to appoint an UK representative the process should be completed in the earliest time possible. This is because the need for this comes immediately after Brexit (if there is an 'hard' or 'no deal' Brexit) or after an implementation period (if there is a'soft' or 'with deal' Brexit). There is no grace period.
what is an avon representative (why not look here) are the requirements to become a UK representative?
According to UK laws on data protection A representative is a person or company who is "designated" in writing by an entity that doesn't have a physical presence in the UK however is subject to the law. The UK representative must be able to represent an entity in relation to its legal obligations. The contact information of the representative should also be readily available to UK residents whose personal details are processed by a non-UK business.
The person who is the UK Representative must be a senior worker of the foreign media or business organization and has been enlisted and taken on as an employee outside of the UK by the business or media organisation. The visa applicant must genuinely intend to be full-time employed as the UK representative for the media or business organization, and they must not engage in any other business activity in the UK.
The applicant also has to demonstrate that they have the knowledge and experience necessary to fulfill their role as UK representative, which entails being the local contact point for the data subjects and UK authorities for data protection. This is to ensure that the UK Representative has sufficient knowledge of and understanding of the UK data protection laws and can be able to respond to requests from individuals exercising their rights under the law and any other requests or enquiries received from data protection authorities.
As the Brexit process continues, it is likely the UK data protection laws will be altered over time. In the present, however it is expected of non-UK companies that do business in the UK, and process personal data of individuals in the UK to choose UK Representatives.
This is because article 27 of the UK's GDPR that was adopted as a UK national law, requires entities without any presence in the UK to nominate a UK representative for data protection. If you are unsure of whether you should appoint an UK representative for data protection It is suggested that you speak to an experienced legal adviser.
