On New Year’s Eve 2020, the UK and EU struck a deal allowing personal data to continue flowing freely between the territories until 30 June 2021.
The agreement bridges the gap between the end of the Brexit transition period and a European Commission adequacy decision, which should hopefully be made in the coming months.
Unfortunately, some organisations believe this agreement covers their EU representative requirements. That is not true – and it may mean that a crucial aspect of GDPR (General Data Protection Regulation) compliance is being neglected.
If you’re unsure where this leaves you regarding the appointment of an EU representative, we explain everything you need to know in this blog.
Why is there confusion?
At the heart of the misunderstanding is the UK–EU TCA (Trade and Cooperation Agreement), which took effect on 31 December 2020. As the title suggests, the deal relates strictly to cross-border trade and not to broader issues related to data protection.
As a result of the UK–EU TCA, the UK became a ‘third country’ with respect to EU law from 1 January 2021. The GDPR requirement to appoint an EU representative took effect immediately, so affected UK organisations must appoint one without delay.
Not every UK-based organisation must appoint an EU representative, however. The requirement only applies to those without a presence in the EEA (European Economic Area) but that:
- Offer goods or services to individuals in the EEA; or
- Monitor the behaviour of individuals in the EEA.
The only exceptions to this are public bodies and organisations whose processing is occasional, of low risk to the rights and freedoms of individuals and doesn’t involve large-scale use of special category or criminal offence data.
What you should do if you need an EU representative
There’s no need to panic if you’ve only just realised that you need to appoint an EU representative, but you must work quickly.
Your representative must have a strong understanding of data protection and your GDPR compliance practices. They should also ideally be based in the EU member state that you do the most business – or, if that’s impractical, you can outsource the role to a third party.
This is where GRCI Law’s EU GDPR Representative Service can help. Our team of lawyers, barristers and information security experts will take on your representative requirements, allowing you to focus on what your business does best.
The service is offered as an annual subscription and covers every aspect of your compliance requirements. We will:
- Act as a local point of contact for data subjects and supervisory authorities on all matters relating to the processing of personal data;
- Hold and maintain a record of your processing activities in accordance with Article 30 of the EU GDPR and, on request, make the record available to relevant supervisory authorities;
- Facilitate communications between your organisation, data subjects and supervisory authorities; and
- Co-operate with supervisory authorities on your behalf where required.