GDPR and Brexit. Will your business need to appoint a “representative”?

Back to HubNext ArticlePrevious Article

GDPR and Brexit. Will your business need to appoint a “representative”?

To share this article:


The UK will cease to be part of the European Union on 29 March 2019 in the absence of a “deal” to extend the deadline.  One implication of this is that businesses which hold, obtain or use data about EU citizens after the 29th may have to formally appoint a “representative” within the EU for data protection purposes.  

The representative is not intended to simply be a “postbox”.  It will act as an agent and point of contact for all data protection matters, whether with individual citizens or data protection regulators, and must maintain records of the uses an organisation makes of EU citizens’ data.  The representative can be a company or an individual, but it must be mentioned in the privacy information organisations make available to EU citizens. 

If your business is required to appoint a representative and does not, action by a European data protection regulator could cause interruption to your business or result in legal action being taken against you.  

Who must appoint a representative?

Any non-EU business or organisation which systematically deals with EU citizens or uses data about EU citizens  after Brexit  is likely to continue to be subject to the General Data Protection Regulation (“GDPR”) and will likely be required to appoint a representative.  

Technically, non-EU organisations are subject to GDPR if they obtain or make any use of EU citizens’ personal data, either in connection with offering “goods and services” to them (including free services) or “monitoring their behaviour”.  
A representative is not required if the organisation already has an “establishment” within the EU (meaning it is already subject to EU laws) or if it meets a limited set of exemptions.

What is “offering goods and services”?

The business or organisation must “envisage” providing goods or services to EU citizens.  The fact that EU citizens can access a website or otherwise identify the provider may not be enough to make an organisation subject to GDPR, but evidence that EU citizens are intended to be able to receive goods or services is likely to be sufficient.  

What is meant by the term “monitoring their behaviour”?

“Monitoring” will not result from routine online collection or analysis of personal data (for example, website analytics) or occasional contacts with persons within the EU.  However, any focused or deliberate analysis of EU citizens, including via behavioural advertising/marketing, conducting surveys, or conducting statistical analyses of personal data – whether for the business or organisation’s own purposes or those of another – is likely to amount to “monitoring”.

What steps should I take? 

Organisations which use EU citizens’ data need to determine whether they will be subject to GDPR after “Brexit” as a result of offering goods/services or monitoring behaviour - and, if so, whether any exemptions in Article 27 allow them to avoid appointing a representative.  

If a representative is required, it must be appointed by the “Brexit” date and must be able to fulfil its functions, including having access to all necessary records, by that date.  

If you have any questions or would like to know more about how we may help you please get in touch with our data privacy experts, Ian Lindley, Noel Ruddy and Laura Sutton.

The content of this webpage is for information only and is not intended to be construed as legal advice and should not be treated as a substitute for specific advice. PDT Solicitors LLP accepts no responsibility for the content of any third party website to which this webpage refers.

Back to HubNext ArticlePrevious Article

Related Content

PDT Solicitors Accredited and Award Winning


This site uses cookies.

Some of these cookies are essential, while others help us to improve your experience by providing insights into how the site is being used.

Necessary Cookies

Necessary cookies enable core functionality. The website cannot function properly without these cookies, and can only be disabled by changing your browser preferences.

Analytical Cookies

Analytical cookies help us to improve our website by collecting and reporting information on its usage.