Although the UK managed to strike a deal with the EU before the end of the transition period, UK companies who do business in the EU may need to appoint a representative for any processing of personal data they do when offering goods or services.
Under Article 27 of GDPR, a business with no office or establishment in the EU but which processes the personal data of EU individuals in relation to the provision of goods or services or in order to monitor their behavior, must have an EU representative (“EU Rep”) to comply with the GDPR.
Prior to Brexit, this obligation was irrelevant to UK businesses. However, the expiry of the transition period completely changes that. A large number of UK business will sell goods and services in the EU and will be processing personal data of EU citizens in relation to those activities. Those businesses will now need an EU Rep.
The purpose of EU Rep is essentially to act as the local ‘point of contact’ for both data protection supervisory authorities and data subjects. For example, an individual in Germany wanting to contact a UK company to make a data subject access request (i.e. ask the company about the personal data it holds about them), will have a point of contact within the EU to liaise with, rather than having to liaise with company directly.
The representative should ideally be established in a member state where the majority of data subjects whose data is being processed live. However, you are only required to appoint a single EU Rep. Many UK businesses will sell to a variety of EU member states. That does not mean they need to appoint multiple EU Reps.
Appointments should also be in writing, and the EU Rep should be provided with suitable information about the personal data which the UK company is processing. The EU Rep is not liable for the failures of the company it is representing, however it does have its own obligations, and will need to understand the nature of the processing being carried out in order to comply with those.
The rule does not apply to public authorities. Nor does it apply to ‘occasional’ processing as long as that does not include large scale processing of special category (sensitive) personal data and is not likely to result in a risk to the rights of the data subjects.
However, ‘occasional’ has been interpreted very narrowly, effectively covering a ‘one off’ situation for non-core activities. The argument that a company is only ‘occasionally’ processing personal data in the EU because it only makes small percentage of its total sales there is not likely to succeed.
There is no grace period which kicks in now the transition period has expired, so UK businesses should act now to get an appropriate EU Rep in place.
As a UK-based business, we are not able to provide EU Rep services directly, but we can still help you to get an appropriate EU Rep in place. If you would like to discuss further, please contact firstname.lastname@example.org.