What Is a UK Representative and Why Do You Need One?

Natacha has held a number of senior positions in the Foreign Office including Deputy Ambassador to China and Director for economic diplomacy and Emerging Powers. She has also worked on international trade policy and issues related to development.

Companies that are not based in the UK must adhere to UK privacy laws. They must choose a representative in the UK who will be their point of contact for data subjects and ICO.

What is a UK representative?

The UK Representative is a person, company or other entity that has been formally authorised by a processor or controller of data to act on behalf of the controller or processor in the GDPR's compliance issues in general. They will be the primary contact point for inquiries from data subjects exercising their rights or requests from supervisory authorities and may be subject to national requirements which have been implemented as a result of the GDPR's extraterritorial scope (see the UK case Rondon v LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent Section 3.2.2 of the Data Protection Act 2018, require the appointment of an official representative. This requirement is applicable to all organizations that do not have a permanent location in the United Kingdom but offer goods or services or monitor the behavior of those who reside there or process personal data. The representative must be able to provide proof of their identity, and that they can be the controller or processor of data in respect to UK GDPR requirements.

In addition to acting as a platform for individuals to exercise their rights under GDPR, the Representative must be able to communicate with authorities in the event of a breach. This is because the Representative needs to submit a notification to the supervisory authority that appointed them, regardless of whether the breach affects individuals across different jurisdictions.

It is recommended that the representative has worked with both European and UK-based authorities for data protection. It is also recommended for them to speak a local language because they will receive calls from individuals and data protection agencies in the countries where they work in.

The EDPB says that the Representative is accountable for any non-compliance. However the UK case of Rondon v. LexisNexis UK Ltd. (2019) EWHC1427 confirmed that a representative is not able to be sued by someone who believes the controller of the data has failed to adhere to GDPR in the UK. The court ruled that the Representative did not have a direct connection to the data processing activities of the entity that it represented.

Who is responsible for appointing the UK Representative?

To comply with the EU GDPR, businesses outside of the EU that are targeting goods or services to European citizens but do not have an office, branch or establishment in the EU must appoint an EU Representative. This is in addition to requirements of national data protection laws. A representative's job is to act as a local point-of-contact for supervisory bodies and individuals regarding GDPR concerns.

The UK has a similar requirement to the EU as laid out in Article 27 of the UK-GDPR. Like the EU requirement, the threshold is low and any business that offers goods or services to, or monitors the behaviour of data subjects within the UK must choose a UK representative.

Under the UK-GDPR, a Representative must be formally authorized "to be, additionally or alternatively, addressed on behalf of the controller or processor, by data subjects and the [British Information Commissioner's Office[British Information Commissioner's Office]". They are not personally responsible for GDPR compliance. They must, however, cooperate with supervisory authorities in official proceedings, and receive communications from individuals who exercise their rights. ).

Representatives must be situated within the EU member state where the people whose data is being processed are. This is not an easy choice and requires a thorough business and legal analysis to determine the right location for an organization. We provide a specialized service that assists businesses to assess their needs and choose the most appropriate representative location.

It is also recommended that Representatives have experience in interacting with both supervisory authorities and dealing with requests from data subjects. Local language skills can also be essential, as the role may involve handling inquiries from data subjects or supervisory authorities in multiple countries throughout Europe.

The identity of the Representative should be made clear to data subjects by including their information in privacy policies and information provided to individuals before collecting their data (see Article 13 UK-GDPR). Contact details for the UK sales representative jobs should be made available on your website so that supervisory authorities can easily contact them.

When do you need to appoint a UK Representative?

If your business is located outside the UK and offers goods or services to the UK or monitors the conduct of individuals, you may be required to appoint a UK Representative. The UK's applied EU GDPR regime is available to non-UK established companies that are performing activities in the UK. It has the same extraterritorial reach as EU GDPR, with some exceptions. Take our free self-assessment to check if you're legally bound by this obligation.

A representative is appointed by the party appointing under an agreement of service to act on behalf of the party with respect to certain obligations under the UK GDPR and EU GDPR, as applicable. In the UK, the main purpose of this is to facilitate communication between the appointing party and the Information Commissioner's Office (ICO) or any other affected data subjects in the UK. A Representative could be an individual or a company based in the UK. The entity that is appointing the representative must make it clear to data subjects that their personal information will be processed by the Representative. The identity of the individual or company must be readily available to supervisory authorities.

In accordance with Articles 13 and 14 of the UK GDPR, the appointing entity is also required to provide the contact information of its representative to the ICO as well as the people who have data in the UK. It must be clear that the role of a Representative is distinct from and not compatible with that of the role of a Data Protection Officer ("DPO") which requires a certain degree of independence and autonomy that cannot be provided by a Representative.

If you have to designate an official from the UK representative and you are required to do so, you must do it as soon as you can. This is because this obligation is either immediately following Brexit (if it's an "hard" or "no deal" Brexit) or following an implementation period (if it is a "soft" or "with deal". There is no grace period.

What are the requirements for the designation of a UK Representative?

Under the UK data protection laws (and specifically article 27 of the UK GDPR), a representative is an individual or a company that is "designated in writing" by an entity that lacks a presence in the UK but is subject to the provisions of the law. The UK representative must be able to represent an entity in relation to its legal obligations. Contact details for representatives should be readily accessible to UK residents whose personal details are being processed by a non-UK business.

The UK Representative must be an overseas senior employee of a business or media company and has been recruited and employed as an employee by the media or business organization outside the UK. The applicant must genuinely intend to work full-time as the UK Representative for the business or media organisation, and they are not allowed to engage in any other business ventures in the UK.

Additionally, the visa applicant must prove that they have the necessary skills and experience to fulfill their role as a UK Representative which includes serving as local contact for inquiries from data subjects and UK data protection authorities. This is to ensure that the UK Representative is well-informed of and expertise in the UK data protection laws, and is able to respond to requests from individuals exercising their rights under the law, as well as any other requests or enquiries received from authorities dealing with data protection.

As the Brexit process continues, it is likely that the UK data protection laws will evolve over time. At the moment, it is expected that non-UK businesses that do business in the UK and handle personal data of people in the UK will be required to appoint an UK Representative.

It is because article 27 of the UK's GDPR that was adopted as an UK national law, UK representative requires all entities that do not have any presence in the UK to nominate the position of a UK data protection representative. If you are not sure whether you should appoint the position of a UK representative for data protection it is recommended that you speak to an experienced legal advisor.