Brexit changed a lot for businesses, especially for UK companies that do business with the EU/EEA. Trade, regulation, human resources, transport… there’s almost nothing that goes untouched by the withdrawal of the UK from the EU and its single market. Data protection is unlikely to be at the forefront of companies’ minds but there are real issues that companies, data controllers as well as processors, should dive into now that the UK is officially a third country to the EU.
The extraterritorial effect of the EU GDPR
On 31 December 2020, the Brexit transition period ended and the UK officially left the European Union. Although the UK no longer applies the GDPR as an EU Member State, the GDPR continues to apply to UK companies through its extraterritorial effect. So, if UK companies do business with the EU, they now have to comply with the GDPR as non-EU companies, which means that they most likely have to appoint a GDPR representative in the EU.
Do I have to appoint a Data Protection Representative in the EU?
If you are a UK company, you may have to appoint an EU Representative if:
- You have no establishment in the EU/EEA, and
- You offer products or services to individuals located in the EU/EEA or monitor their behaviour
However, you don’t have to appoint an EU representative if:
- You are a public authority; or
- You have an establishment in the EU/EEA; or
- You process personal data only occasionally and you don’t process sensitive personal data on a large scale and your processing activities are unlikely to result in a risk to the rights and freedoms of individuals in the EU/EEA
UK companies are generally not familiar with the obligation to appoint a data protection representative because, under the EU GDPR, this obligation only applies to non-EU companies. So they didn’t have to appoint an EU representative before 1 January 2021 because there were not considered as non-EU companies. It’s a new obligation for them because the UK is now a third country to the EU.
The EU representative is not a Data Protection Officer (DPO). Instead, an EU representative is a natural person or body within the EU who is appointed to communicate with individuals in the EU, as well as the data protection authorities (there are 46 of them in the EEA!) on your behalf. The EU representative must also keep a copy of your company’s record of processing activities.
Not sure if your UK company needs to appoint an EU representative? Contact us for a free assessment.
Follow us on Linkedin for daily breaking GDPR news!
Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!