Do I Need A(nother) Data Protection Representative After the Brexit Transition?

Two GDPRs and Two Types of Representatives

The United Kingdom’s Brexit transition period ends on December 31, 2020. Once the transition period concludes, the UK will be a third country outside of the European Economic Area (“EEA”). 

One of the repercussions of the UK’s separation from the EU is that the EU General Data Protection Regulation (“EU GDPR”) will, as of January 1, 2021, require many organizations whose only EU presence was in the UK to appoint a data protection representative established in the EU if their UK establishment processes personal data of individuals located in the rest of the newly contoured EU.  

A second repercussion is that there will be two GDPRs with mirroring data protection representation requirements. To avoid conflicting references to the European Union or the EEA, the UK government plans to implement its version of the EU GDPR, the UK GDPR.¹ The UK GDPR mandates non-UK based organizations processing the personal data of individuals in the UK appoint a data protection representative in the UK, in many cases. For example, companies that have a branch in the EU, but not in the UK, that process personal data of individuals in the UK will likely need to appoint a representative in the UK.

If your organization processes personal data of individuals in the EEA and in the UK and does not have an establishment in both jurisdictions, read on.

Do I Need an EU Data Protection Representative?

Article 27 of the EU GDPR requires (with limited exceptions explained in this blog post), organizations that are not established in the EU but process the personal data of individuals in the EU to appoint a data protection representative in the EU. The end of the Brexit transition period triggers two major changes to the rules concerning data protection representatives:

1. Organizations based in the UK were previously able to avoid the Article 27 data protection representative requirements since the UK was also part of the EEA. Now UK organizations not established in the EU but processing EU personal data generally must appoint a data protection representative within the EU.
   
   Example: A company with headquarters in the U.S. fully owns a UK subsidiary with an office in London. The London office oversees the company’s marketing operations in the EU. Since the U.S. company does not have any other establishment in Europe and the London office will no longer be considered an establishment in the EU, the U.S. company must appoint a data protection representative in the EU as of January 1, 2021.
2. Organizations located outside the EEA may have previously appointed a data protection representative in the UK in order to satisfy the requirements of GDPR Article 27. Those organizations must now appoint a data protection representative within an EEA member state.
   
   Example: An Australian company had appointed a data protection representative in the UK to serve as its EU data protection representative. As of 2021, the Australian company must appoint another data protection representative in one of the remaining EEA member states.

Do I Need a UK Data Protection Representative?

The UK GDPR requirement to appoint a data protection representative mirrors the EU GDPR’s requirement for organizations not located in the EU. Based on the current text of the UK GDPR, organizations not established in the UK that are processing the personal data of individuals in the UK to either (i) offer them goods or services or (ii) monitor their behavior must appoint a data protection representative in the UK as well. 

Example: If a U.S.-based company places cookies on the devices of individuals in the UK and the EEA for the purpose and intention of direct marketing, it must appoint a data protection representative in both the UK and the EEA.

Importantly, EEA-based organizations processing the personal data of individuals in the UK must also appoint a representative in the UK to continue to do so in compliance with the UK GDPR.

Example: A company based in the Netherlands with no establishment in the UK provides personalized diet and health analytics services online to individuals in the UK. As of 2021, the Dutch company must have a data protection representative in the UK.

VeraSafe EU and UK Data Protection Representative Services

If you are looking for an experienced and highly specialized data protection representative, VeraSafe can help. We have been providing EU data protection representative services since before the days of the GDPR and we are one of the very few well-established privacy law firms and consulting groups to offer UK data protection representative services in a legally-compliant way. Learn more about our Data Protection Representative Program for EU GDPR Article 27 and our Data Protection Representative Program for UK GDPR Article 27.