GDPR and Brexit. Will your business need to appoint a “representative”?
The representative is not intended to simply be a “postbox”. It will act as an agent and point of contact for all data protection matters, whether with individual citizens or data protection regulators, and must maintain records of the uses an organisation makes of EU citizens’ data. The representative can be a company or an individual, but it must be mentioned in the privacy information organisations make available to EU citizens.
If your business is required to appoint a representative and does not, action by a European data protection regulator could cause interruption to your business or result in legal action being taken against you.
Any non-EU business or organisation which systematically deals with EU citizens or uses data about EU citizens after Brexit is likely to continue to be subject to the General Data Protection Regulation (“GDPR”) and will likely be required to appoint a representative.
Technically, non-EU organisations are subject to GDPR if they obtain or make any use of EU citizens’ personal data, either in connection with offering “goods and services” to them (including free services) or “monitoring their behaviour”.
A representative is not required if the organisation already has an “establishment” within the EU (meaning it is already subject to EU laws) or if it meets a limited set of exemptions.
The business or organisation must “envisage” providing goods or services to EU citizens. The fact that EU citizens can access a website or otherwise identify the provider may not be enough to make an organisation subject to GDPR, but evidence that EU citizens are intended to be able to receive goods or services is likely to be sufficient.
“Monitoring” will not result from routine online collection or analysis of personal data (for example, website analytics) or occasional contacts with persons within the EU. However, any focused or deliberate analysis of EU citizens, including via behavioural advertising/marketing, conducting surveys, or conducting statistical analyses of personal data – whether for the business or organisation’s own purposes or those of another – is likely to amount to “monitoring”.
Organisations which use EU citizens’ data need to determine whether they will be subject to GDPR after “Brexit” as a result of offering goods/services or monitoring behaviour - and, if so, whether any exemptions in Article 27 allow them to avoid appointing a representative.
If a representative is required, it must be appointed by the “Brexit” date and must be able to fulfil its functions, including having access to all necessary records, by that date.
If you have any questions or would like to know more about how we may help you please get in touch with our data privacy experts, Ian Lindley, Noel Ruddy and Laura Sutton.
The content of this webpage is for information only and is not intended to be construed as legal advice and should not be treated as a substitute for specific advice. PDT Solicitors LLP accepts no responsibility for the content of any third party website to which this webpage refers.