Are you a non-EU organisation that falls under the scope of the GDPR (General Data Protection Regulation) by monitoring the behaviour of, or offering goods and services to, EU Residents?
Meet your Article 27 obligations with an annual subscription to our GDPR EU Representative service. Available either in 3 or 12-month contracts, this service is flexible to suit you.
Under the GDPR, data controllers and processors that are based outside the EU but offer goods or services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in an EU member state where those data subjects are.
If the UK leaves the EU with no deal, this requirement will apply UK organisations that process EU residents’ personal data from exit day – currently set at 31 October 2019.
The EU representative acts on your behalf in relation to your personal data processing activities, and acts as a local contact for data subjects and supervisory authorities.
The obligation to appoint a representative does not apply to:
If the UK leaves the EU with no deal, there will be no transition period and the EU GDPR will cease to apply on exit day – currently set at 31 October 2019.
In this scenario, the ‘UK GDPR’, as created by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, will then apply. (This is an amended version of the EU GDPR in which references to EU currency, organisations and so on are replaced with their UK equivalents.)
The UK will be classified as a third country from exit day, so UK organisations that process personal data on behalf of EU data controllers will need to rely on other measures – such as standard contractual clauses or binding corporate rules – to transfer personal data from the EEA to the UK until an adequacy decision is reached. GRCI Law are able to offer support with binding corporate rules and standard contract clauses through our Contract and Legal service.
UK organisations that process EU residents’ personal data in the context of providing goods and services, or monitoring them, will also have to designate an EU representative from this point.
We are now offering the EU Representative Service under a 3-month contract to support organisations that only need an EU Representative if Brexit goes ahead. Appoint an EU Representative now, knowing that you have the flexibility in the event that Brexit is further postponed.
Using our annual subscription service, you will be supported by our qualified data privacy, legal and compliance team, which will serve as your EU representative, in compliance with Article 27 of the Regulation.
|Contract type||Three month contract||Annual subscription|
|Contract length||Flexibility to end or extend your contract after three months –ideal for organisations waiting for more clarity about Brexit||12-month minimum contract|
|How to buy||Buy online, or contact us if you have more than 500 staff||Contact us for a quote|
|Suitable for||Organisations that only need an EU representative in the event of a no-deal Brexit, and want flexibility in the event of a postponement||Organisations that need an EU representative regardless of Brexit|
In the event of a no-deal scenario, the UK government will use the EU Withdrawal Act (which retains the GDPR (General Data Protection Regulation) in UK law and gives the government the power to make appropriate amendments to ensure the Regulation works effectively in a UK context) to make amendments to the applicable UK laws (e.g. the Data Protection Act 2018) to bring them in line with the GDPR, and adapt local law to suit local requirements – e.g. by replacing references to “Union or Member State law” with “domestic law” and substituting references to “decisions made by the EU Commission” with references to “decisions made by the UK Government”, etc.
The government calls this the ‘No Deal’ framework. The Department for Digital, Culture, Media & Sport has issued guidance outlining its key components – including UK representation for controllers.
In the event of a no-deal Brexit, the UK government intends to require data controllers based outside the UK that process UK residents’ personal data to appoint a representative in the UK.
GRCI Law already acts as the EU representative for a number of non-EU-based controllers. We are able and ready to do the same for any non-UK-based controllers that need to appoint a UK representative in the event of a no-deal scenario.
Led by our management team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, we provide DPO, breach, data privacy management, and data subject access request support, and associated non-reserved legal services.
We offer legal risk and compliance consultancy advice that you can trust, but without the burden of administrative duties and expenses that law firms must bear in order to carry out certain ‘reserved legal activities’, such as litigation, conveyancing and advocacy.
Stay up to date with the latest industry news on our blog.
If you have any queries or you’re unsure of how to progress, please get in touch with our team of experts who will be able to assist with your enquiry and provide guidance options.