Brexit And The GDPR: Does Your US Business Need Two Data Protection Representatives?
Since January 1, 2021, the UK is no longer a Member State of the European Union (EU) and is considered a third country to the EU. The UK now applies the “UK GDPR”, an almost identical version of the EU GDPR. The rights, principles and obligations mostly stay the same. US companies that were doing business with the EU before Brexit now have to look at the UK with a different lens. One of the main questions regarding GDPR post Brexit is the data protection representative. Do you have to appoint one? Do you maybe even have to appoint two?
It Depends On Where You Do Business
I do business with the EU/EEA only
If you only do business with the EU or the European Economic Area (EEA) and not with the UK, you should not be concerned by Brexit. However, even if you are based in the US, you must appoint an EU GDPR Representative if:
- you don’t have an establishment in the EU/EEA
- you offer products or services to individuals who are in the EU or monitor the behaviour of individuals in the EU (such as tracking or profiling)
If you haven’t appointed a GDPR EU representative and you’re not sure if you have to appoint one, take our free assessment test to find out!
I do business with the UK only
If you only do business with the UK and not with the EU or EEA, you must appoint a UK GDPR Representative if:
- you don’t have an establishment in the UK
- you offer products or services to individuals who are in the UK or you monitor the behaviour of such individuals
I do business with both the UK and the EU/EEA
If you do business with the UK and the EU/EEA, both the EU and UK GDPR apply to your business. You must therefore appoint both an EU GDPR representative and a UK GDPR representative if you are based in the US and if:
- you don’t have an establishment in the EU/EEA or in the UK
- you offer products or services to individuals who are in the EU/EEA and the UK or you monitor the behaviour of such individuals
If you already had an EU representative prior to January 1, 2021, and the representative was located in the UK, you will now have to appoint a representative on the EU/EEA countries.
Can you benefit from the exceptions?
You don’t have to appoint an EU and/or a UK representative if:
- You have an establishment in the EU (regarding the EU representative obligation) or in the UK (regarding the UK representative obligation)
- You are a public authority; or
- You process personal data only occasionally and you don’t process sensitive personal data on a large and your processing activities are not likely to affect the rights and freedoms of individuals in the EU/ UK.
EDPO can act as your EU/EEA GDPR representative AND as your UK GDPR representative.
If you appoint EDPO as both your EU/EEA and UK Data Protection Representative, you will get a 20% discount on the EU Representative price.
Want to know more? Contact us for a free assessment.
Follow us on Linkedin for daily breaking GDPR news!
Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!