With the end of the Brexit transitional period on the 31 December 2020 it is important that businesses take steps now to ensure they continue to comply with data protection legislation following the end of the transitional period.
The need to appoint an EEA representative
The UK data protection authority, the Information Commissioners Office (ICO), has advised that UK based data controllers or processors who do not have offices, branches or other establishments in the EEA but still offer goods or services to individuals in the EEA or monitor the behavior of individuals in the EEA must consider whether or not they need to appoint an EU representative for the purposes of GDPR at the end of the transitional period.
The requirement for an EEA representative for those offering goods or services to individuals in the EEA or monitor the behavior of individuals in the EEA is not a new one and is already a requirement today for many international businesses, the difference will be that once the transitional period ends having a base in the UK will no longer qualify as a base in the EEA.
Are there any exceptions to the requirement?
If you meet the requirements as set out above, you may not need to appoint a representative if you are subject to an exemption. The following organisations do not need to appoint an EEA representative:
- Public authorities; or
- Organisations whose processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.
We are still awaiting definitive guidance from the ICO on what is classed as “occasional” or “low risk” processing but we recommend that organisations err on the side of caution and have a plan for appointing a representative if needed.
It is worth noting that the data protection Article 29 Working Party and the EPDB (the European Data Protection Board) takes the view that processing can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor.
It is also worth noting that the requirement only applies to those who do not have an office, branch or other “establishment” in the EEA so it is worth checking first whether or not it can be argued your business has an “establishment in the EEA”.
Who can a representative be?
Businesses will need to decide which EU or EEA state their representative will be based and will need to choose an appropriate representative. An EEA representative can be a company or other organisation established in the EEA but could also be an individual (including an existing or new employee of the organisation). The representative must be able to represent the organisation who has appointed him or her in respect of their obligations under GDPR.
A representative will need to be set up in an EU or EEA state where some of the individuals whose personal data the business is processing is located so it is important to choose a location that fits this criteria rather then just picking any EEA country randomly.
What do I need to do to appoint a representative?
To appoint a representative you will need to put in place a written agreement with them appointing them to act on your behalf when it comes to GDPR compliance, dealing with any data protection supervisory authorities (the equivalent of the ICO in other countries) and dealing with and responding to data subjects queries/complaints. The written agreement will need to set out the terms of the relationships and the representatives’ obligations.
When appointing a representative it is important to remember that you will still remain responsible for your responsibilities and any liabilities under GDPR and this cannot be contracted out of or fully delegated to the representative to avoid liability. It is therefore important that you choose a representative that you can trust to carry out their duties but that you also keep a close eye on them to ensure your organisation is complying with its obligations under GDPR.
Do I need to change my privacy policies?
Businesses will need to provide details of their EEA representative to the data subjects in the EEA who they process personal data about. This information should be included in your privacy notices and can also be included in any information you provide to data subjects when you collect their data. This is key to ensuring compliance with your transparency obligations under GDPR. The details of your EEA representative must also be easily accessible to data protection supervisory authorities and an easy way of doing this would be to publish the information on your website.
What do I do next?
This is a complex and changing area of the law so we recommend that those businesses who are offering goods or services to individuals in the EEA or are monitoring the behavior of individuals in the EEA carefully consider whether or not they will need to appoint a representative and seek specialist legal advice before doing so.