Are you a non-EU organisation that falls under the scope of the GDPR (General Data Protection Regulation)?
Meet your Article 27 obligations with an annual subscription to our GDPR EU Representative service.
Under the GDPR, data controllers and processors that are based outside the EU but offer goods or services to, or monitor the behaviour of, data subjects in the EU must appoint a representative in an EU Member State where those data subjects are.
The representative acts on your behalf in relation to your personal data processing activities, and acts as a local contact for data subjects and supervisory authorities.
The obligation to appoint a representative does not apply to:
Using our annual subscription service, you will be supported by our qualified data privacy, legal and compliance team, which will serve as your EU representative, as set out in Article 27 of the Regulation.
On 13 September 2018, the UK government published a technical notice: Data protection if there’s no Brexit deal. It details the government’s plans for maintaining UK data protection legislation if the UK leaves the EU without an agreement – i.e. a ‘no deal’ scenario.
The notice highlights the importance of the free flow of personal data between the UK and the EU to maintaining the current economic relationship and ongoing cooperation on security, and confirms that both sides are committed to maintaining a high standard of data protection.
In the event of a no-deal scenario, the UK government will use the EU Withdrawal Act (which retains the GDPR (General Data Protection Regulation) in UK law and gives the government the power to make appropriate amendments to ensure the Regulation works effectively in a UK context) to make amendments to the applicable UK laws (e.g. the Data Protection Act 2018) to bring them in line with the GDPR, and adapt local law to suit local requirements – e.g. by replacing references to “Union or Member State law” with “domestic law” and substituting references to “decisions made by the EU Commission” with references to “decisions made by the UK Government”, etc.
The government calls this the ‘No Deal’ framework. The Department for Digital, Culture, Media & Sport has issued guidance outlining its key components – including UK representation for controllers.
Where article 3(2) of the EU GDPR applies, article 27 of the EU GDPR requires a controller or processor not established in the EEA to designate a representative within the EEA. The requirement does not apply to public authorities or if the controller/processor’s processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
The UK government intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK.
GRCI Law already acts as the EU representative for a number of non-EU-based controllers. We are able and ready to do the same for any non-UK-based controllers that need to appoint a UK representative in the event of a no-deal scenario.
Led by our management team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, we provide DPO, breach, data privacy management, and data subject access request support, and associated non-reserved legal services.
We offer legal risk and compliance consultancy advice that you can trust, but without the burden of administrative duties and expenses that law firms must bear in order to carry out certain ‘reserved legal activities’, such as litigation, conveyancing and advocacy.
Stay up to date with the latest industry news on our blog.
If you have any queries or you’re unsure of how to progress, please get in touch with our team of experts who will be able to assist with your enquiry and provide guidance options.