EU Representative

From 1 January  there will be a UK version of the GDPR.  Unfortunately, this does not mean that you can forget about the version of the GDPR we had to abide by before.  Any organisation in Europe that processes personal data still has to comply with the European version.  This means that is they are sending personal data to the United Kingdom they need to do so lawfully.  A supply partner in Europe may ask UK organisations to enter into contractual clauses.  These clauses have legal force and means that the standards of the GDPR ‘travel’ with personal data from Europe to the UK.  

If a UK organisation wishes to provide goods or services to individuals in Europe or monitor them (and you do not have an office, branch or establishment there) then the European GDPR requires the UK organisation to appoint a representative in one of the European countries where the customers live.

The representative is effectively the UK organisations ‘agent’ for data protection matters in Europe.  The representative will be a contact point for ‘data subjects’ [your privacy notice will need to name them as such] in Europe and be  the contact point for the European data protection regulators.  They must also hold a copy of the UK organisations Record of Processing Activities.

DPA/OK has links with representatives and can arrange their appointment and written instruction for you.   Your appointment of your representative must be in writing and should set out the terms of your relationship with them. Having a representative does not affect your own responsibility or liability under the EU GDPR.

You do not need to appoint a representative if your personal data processing is only occasional, of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.