Our UK Representative Services

Do you need to Appoint a UK Data Protection Representative?

Your company is based outside the UK and doesn't have an establishment there;
Your company offers goods or services to individuals in the UK (for payment or for free) and/or monitors the behaviour of these individuals (such as tracking or profiling)

STILL NOT SURE IF YOU NEED TO APPOINT A DATA PROTECTION REPRESENTATIVE?

Did You Know?

Since Brexit, the UK Representative
is a mandatory obligation

We provide a full range of high-quality representation services

We are passionate about client service. Really passionate. We strive to understand your operations, needs and expectations in order to provide you with personalized services.

UK Representation services

We act as your Data Protection Representative in your name and on your behalf in the United Kingdom. Our office is located in London, at 8 Northumberland Avenue, London WC2N 5BY.

Data Subject Access Requests (DSARs)

We handle an unlimited number of DSARs across the UK. By “handling”, we mean that we receive requests, perform identity checks (if you instruct us to do so), forward the requests to you, answer your questions as to best practices on how to respond to the requests and reply to the data subjects on your behalf, unless you choose to answer yourself. We aren’t just a mailbox or message forwarding service.

Requests from the Data Protection Authority (ICO)

We handle an unlimited number of requests from the Data Protection Authority (ICO) in the UK. We understand that it can be quite daunting for companies to be contacted by a data protection authority. That’s why our team handles such requests with great care and diligence.

Data Breach Notification Support

We assist and support you in the handling of an unlimited number of data breach notifications in the UK. We understand that the process can sometimes be very challenging, especially given the tight 72-hour deadline to notify the data breach.

IMPORTANT NOTICE IN CASE OF DATE BREACH: Our contract will not automatically terminate in the event that you experience a data breach. We support you all the time and all the way.

Compliance Certificate

We provide you with a Compliance Certificate based on data protection technology through a unique high-level encryption / decryption process (including Blockchain technology) which can be used on your website and on your company material.

Top-level Security with ISO 27001 Certification

We are proud to be ISO 27001 certified, which is the latest, highest and most comprehensive in-depth security certification. It demonstrates our commitment to information security and confirms that we implemented industry-leading security practices to protect our client data. The scope of our certification covers all our processes involved in the provision of data protection Representative services in the EU/EEA and in the UK for companies located outside the EU/EEA and/or the UK, pursuant to Article 27 of the EU & UK GDPR.

Dedicated Client Support

We answer your questions and keep you informed on Data Protection matters that can impact your non-UK business. Our team covers all aspects of the UK GDPR (legal, IT, security, risk management, governance, etc.) and our experts are at your disposal to assist you even beyond local office hours and taking into account your international time zone.

Privacy Policy / Documentation wording

We provide you with the wording that you have to include in your privacy policy on your website or in other documents (e.g. those required in clinical trials) with respect to the appointment of EDPO UK Ltd as your UK representative, including EDPO UK’s contact details and logo.

VIEW OUR PRICING

Overseas family that has our back

EDPO Client / Customizable gift book web application

What should you look for in an EU & UK Data Protection Representative ?

Here is our checklist for the appointment of your EU & UK Data Protection Representative

DOWNLOAD YOUR CHECKLIST HERE

What services are included? Are there any extra (hidden) costs?
What languages are covered? Is translation included in the fees?
Who is the team? What are their qualifications and experience?
Does the Data Protection Representative provide data breach notification support?

What services are included? Are there any extra (hidden) costs?
What languages are covered? Is translation included in the fees?
Who is the team? What are their qualifications and experience?
Does the Data Protection Representative provide data breach
notification support?

We cover the world. We cover all industries.

You'll find below a non-exhaustive list of industries that already work with us.

Frequently Asked Questions

Check our FAQ page for more questions and answers.

How does the UK Representative assist non-UK companies?

The main task of the Data Protection Representative in the UK is to act as a point of contact for the data protection authority and individuals in the UK whose personal data is being processed by non-UK companies.

The representative acts on behalf of the non-UK companies, performing its tasks according to the mandate received from them, including cooperating with the data protection authority (the ICO) with regard to any action taken to ensure compliance with the UK GDPR.

The Data Protection Representative also has to maintain records of the processing activities of their clients.

Where does the UK Representative have to be located?

Your UK GDPR representative must be located in the United Kingdom.

Does designating a Data Protection Representative release the non-UK companies from liability and responsibility?

NO. The UK GDPR clearly state that the designation of a Data Protection Representative does not affect the responsibility and liability of the non-UK companies that fall within the scope of the UK GDPR. The designation is without prejudice to legal actions which could be initiated against the non-UK companies.

How much does it cost to appoint an UK Representative?

Our Data Protection Representative fees are based on the size of your company (in terms of number of employees), the type of data (regular data and/or sensitive data) that your company processes, whether or not your company’s processing operations require regular and systematic monitoring of individuals in the UK and whether your company processes personal data on a large scale. All packages can be tailored to your company’s specific needs.

Click here to know more about our UK Representative fees.

If you need to appoint us as EU Representative too, please let us know, we have discounted prices.

Do the UK representative services cover the EU too?

No. Now that the UK left the EU, it is a separate jurisdiction. If your company is active in both the EU and the UK, you will need to appoint two Representatives. Head over to our EU Representative services page to learn more.

What is personal (regular) data?

Personal data under the GDPR has a very broad interpretation and includes any information that relates to an identified or identifiable natural person: name, pictures, addresses, phone numbers, e-mail addresses, IP addresses (even dynamic), identification numbers, location data, age, origins, pseudo, etc.

What is sensitive data ?

Sensitive data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.

What is considered to be processing “on a large scale"?

The GDPR and UK GDPR do not define what constitutes “large scale” processing but guidelines recommend that the following factors be considered when determining whether the processing is carried out on a large scale:

- The number of individuals concerned – either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity

Examples of large-scale processing include:

- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers

Examples that do not constitute large-scale processing include:

- processing of patient data by an individual doctor
- processing of personal data relating to criminal convictions and offences by an individual lawyer

The Swiss Authority defines large scale: “The term "large-scale" refers to cases where data is not simply processed in an isolated way. For example, a medical practice or hospital might process patient data. On the other hand, the isolated processing of the data of an employee who is absent due to illness by a company does not constitute large-scale processing. Large-scale processing occurs in particular when the processing of sensitive data constitutes the essential part of the activities of the person or body in question.”)