The UK has already left the EU. It is for data protection purposes a ‘third’ country. Until 11pm on 31 December the UK is still subject to the European General Data Protection Regulation [‘GDPR’]. After that there will be a UK GDPR. Organisations that process the personal data of individuals in the UK and Europe may have to comply with both versions!
The Key Changes Are:
European organisations who wish to send personal data to the UK have to do so in accordance with the European GDPR. The GDPR sets out various ways that data can be sent legally. Typically, it is done through the use of model contractual clauses. UK organisations who work with European organisations where personal data is sent to the UK need to ensure that personal data continues to flow.
UK organisation who offer goods/ services to or monitor individuals in the EEA have to ensure that they comply with the European GDPR when they process personal data. They may also need to appoint a representative in Europe. This representative is the contact point for data subjects and the European regulators.
Likewise, if European organisations (in fact anyone outside the UK) offer goods/ services to or monitor individuals in the UK then they have to comply with the UK version of the GDPR and appoint a UK representative for data protection matters.
DPA/OK can advise in relation to flows of personal data from Europe to the UK and the implications of Brexit.
From 1 January there will be a UK version of the GDPR.
If you are a ‘Data Controller’ [you decide what is done with personal data and how it is processed] or a Data Processor [you act upon instructions] based outside of the UK and you do not have any offices, branches or other establishments in the UK but you are offering goods or services to individuals in the UK or monitoring the behaviour of individuals in the UK then you may need to appoint a UK representative.
You will need to put in place an appropriate written mandate for that representative to act on your behalf. Information about the representative should be provided to data subjects, for example, in your privacy notice. It should also be made easily accessible to the UK data regulator – the Information Commissioner’s Office – for example by publishing it on your website.
You will need to authorise the representative, in writing, to act on your behalf regarding your UK GDPR compliance, and to deal with the ICO and data subjects in this respect.
DPA/OK can represent you regarding your obligations under the UK GDPR
You will need to provide the individuals whose personal data you are processing with our details. This may be done by including them in your privacy notice or in the upfront information you give them when you collect their data.
An EEA based sales firm does not have offices in the UK, but has a regular client base in the UK. The firm must appoint a UK representative to act as its direct contact for data subjects and the ICO.
You do not need to appoint a representative if either:
you are a public authority; or
your processing is only occasional, of low risk to the ‘data protection rights’ of individuals, and does not involve the large-scale use of special category or criminal offence data.
If you are not sure about any aspect of appointing a UK representative, please contact DPA/OK
From 1 January there will be a UK version of the GDPR. Unfortunately, this does not mean that you can forget about the version of the GDPR we had to abide by before. Any organisation in Europe that processes personal data still has to comply with the European version. This means that if they are sending personal data to the UK they need to do so lawfully. A supply partner in Europe may ask UK organisations to enter into contractual clauses. These clauses have legal force and means that the standards of the GDPR ‘travel’ with personal data from Europe to the UK.
If a UK organisation wishes to provide goods or services to individuals in Europe or monitor them (and you do not have an office, branch or establishment there) then the European GDPR requires the UK organisation to appoint a representative in one of the European countries where the customers live.
The representative is effectively the UK organisations ‘agent’ for data protection matters in Europe. The representative will be a contact point for ‘data subjects’ [your privacy notice will need to name them as such] in Europe and be the contact point for the European data protection regulators. They must also hold a copy of the UK organisations Record of Processing Activities.
DPA/OK can assist you with the appointment of an EU representative.