Having previously discussed the effect of a 'no-deal' Brexit on data protection, this article takes a closer look at the requirement to appoint a representative under the General Data Protection Regulations (GDPR) and how this could be relevant should the UK leave the EU without a transitional arrangement (Exit Day) (as of the date of this article, Exit Day is scheduled for 31 October 2019).
What is a representative?
The primary role of the representative is to facilitate co-operation between EU data protection regulators and controllers or processors not physically located inside the European Union. Appointing a representative does not affect the responsibilities or liabilities of the appointing controller or processor, but it does give the regulators and EU data subjects a point of contact should they need to engage with the data controller or processor.
A key function of the representative is to maintain a record of any processing activities under the responsibility of the controller or processor. Again, this does not discharge the controller or processor’s own obligations, who must continue to comply with any obligations directly applicable controllers or processors (as relevant) alongside assisting the representative.
In practice, this means that a supervisory ity or regulator could look to the representative to assist with any matter relating to the compliance obligations of a controller or processor; the representative should be able to facilitate any informational or procedural exchange between a requesting supervisory ity and the controller or processor who appointed them, and should also be in a position to efficiently communicate with data subjects (including communicating in the appropriate language).
Guidance from the European data protection regulator (the EDPB) explains that the intention of this requirement is to enable regulators to initiate enforcement action against a representative in the same way as against controllers or processors. Representatives can be held to account should they not comply with regulators (and be subject to administrative fines and penalties as a consequence).
When is it necessary to appoint a representative?
A data controller/processor does not need to appoint a representative if they have an 'establishment' in the EU. Very briefly, to be 'established' the data controller or processor will be conducting activity through a 'stable arrangement'. For example, this might be a subsidiary, a branch or an office in the member state. EU case law has shown that 'establishment' has been broadly defined.
Even if the data controller or processor does not have an 'establishment' in the EU, it may still fall within the scope of GDPR by 'targeting' individuals in one or more member states. If this is the case, then it will potentially have to appoint a representative (as a side note, appointing a representatives will not make a data controller/processor 'established' for the purpose of GDPR). Offering goods and services or monitoring behaviour (for example, through collecting data from internet of things devices, wearables, or behavioural online tracking) can be 'targeting' individuals, irrespective of whether payment is received.
After Exit Day in the case of a ‘no-deal’ Brexit some business will lose their 'establishment' in the EU (for example, where a company only has a UK office which manages all of their activities within the EU). This will mean that those companies that continue to process EU personal data (and do not qualify for an exemption) will now need to appoint a representative after Exit Day.
There is a limited exception under the GDPR, setting out when a data controller/processor is not required to appoint a representative. However, this is only when the processing is occasional and does not include (on a large scale) the processing of special categories of data (e.g. data relating to ethnic original, religious beliefs or biometric data, to name a few) and does not include the processing of data relating to criminal convictions or offences and the processing is unlikely to result in a risk to the rights and freedoms of natural persons.
Public ities or bodies are also exempt from the requirement to appoint a representative, on the basis they are regulated elsewhere.
Who can act as a representative?
The representative can be an individual, company or organisation but must be physically located in an EU state where some of the individuals whose personal data is being processed (i.e. if you do not have any French customers you should not appoint a representative in France). The EDPB guidelines also note that if a significant proportion of data subjects are located in one member state, it is best practice to appoint a representative in that member state.
A representative must be able to represent the controller or processor in respect of its obligations under GDPR and there must be a written mandate in place that sets out the relationship and obligations between the EU-located representative and the non-EU-located controller or processor. In practice, the function of a representative can be exercised based on a service contract with an individual or organisation (such as a law firm, consultancy or private company) that meets the requirements described above.
What should you do to prepare?
Establish if you need a representative: are you targeting individuals in a member state, without an establishment in the EU? Remember that an establishment in the UK will no longer suffice for this purpose after Exit Day. This could apply to UK businesses who process the data of individuals in the EU, and could also apply to non-EU businesses (such as US companies) who previously relied on a UK branch, office, subsidiary or representative for compliance when processing data.
If so, consider appointing a representative before Exit Day or making preparations to do so.
Requirements under the new UK GDPR
The above discusses the need to appoint a representative if the data controller or processor processes data of individuals in the EU after Exit Day. However, the UK will also adopt the amended 'UK GDPR' on Exit Day, which updates the GDPR to apply to within the UK separately to the EU GDPR.
The Information Commissioner’s Office has indicated that the UK government intends that a controller or processor located outside the UK but which 'targets' UK individuals (using the same test as the EU GDPR detailed above but in respect of the UK only), will be required to appoint a UK representative after Exit Day.
If this approach is adopted by the UK GDPR, a data controller or processor (without an establishment in the UK) processing the data of individuals in the UK will also need to appoint a UK representative. For example, if a US company processes the data for individuals in both France and the UK (and does not have an establishment in either country) it will have to appoint both a UK representative and an EU representative after Exit Day.
How can Burges Salmon help?
If you would like assistance determining whether there is a requirement to appoint a representative or further guidance putting one in place, please contact Andrew Dunlop or David Varney in our data protection team.