GDPR and Brexit - PDT Solicitors ask - Will your business need to appoint a “representative”?

Published: 02 Apr 2019

The UK will cease to be part of the European Union on 12 April 2019 in the absence of a “deal” to further extend the deadline. One implication of this is that businesses which hold, obtain or use data about EU citizens after the 12th may have to formally appoint a “representative” within the EU for data protection purposes.
The representative is not intended to simply be a “postbox”. It will act as an agent and point of contact for all data protection matters, whether with individual citizens or data protection regulators, and must maintain records of the uses an organisation makes of EU citizens’ data. The representative can be a company or an individual, but it must be mentioned in the privacy information that organisations make available to EU citizens.
If your business is required to appoint a representative and does not, action by a European data protection regulator could cause interruption to your business or result in legal action being taken against you.
Who must appoint a representative?
Any non-EU business or organisation which systematically deals with EU citizens or uses data about EU citizens after Brexit is likely to continue to be subject to the General Data Protection Regulation (“GDPR”) and will likely be required to appoint a representative.
Technically, non-EU organisations are subject to GDPR if they obtain or make any use of EU citizens’ personal data, either in connection with offering “goods and services” to them (including free services) or “monitoring their behaviour”.
A representative is not required if the organisation already has an “establishment” within the EU (meaning it is already subject to EU laws) or if it meets a limited set of exemptions.
What is “offering goods and services”?
The business or organisation must “envisage” providing goods or services to EU citizens. The fact that EU citizens can access a website or otherwise identify the provider may not be enough to make an organisation subject to GDPR, but evidence that EU citizens are intended to be able to receive goods or services is likely to be sufficient.
What is meant by the term “monitoring their behaviour”?
“Monitoring” will not result from routine online collection or analysis of personal data (for example, website analytics) or occasional contacts with persons within the EU. However, any focused or deliberate analysis of EU citizens, including via behavioural advertising/marketing, conducting surveys, or conducting statistical analyses of personal data – whether for the business or organisation’s own purposes or those of another – is likely to amount to “monitoring”.
What steps should I take?
Organisations which use EU citizens’ data need to decide whether they will be subject to GDPR after “Brexit” as a result of offering goods/services or monitoring behaviour - and, if so, whether any exemptions in Article 27 allow them to avoid appointing a representative.
If a representative is required, it must be appointed by the “Brexit” date and must be able to fulfil its functions, including having access to all necessary records, by that date.
If you have any questions or would like to know more about how we may help you please visit https://www.pdt.co.uk/

 

About us

Our mission is to help you grow & evolve as a business.
That also means supporting local business growth & providing a united voice in the Gatwick Diamond.
We're aiming for excellence.
Our method is proactive & determined.
Our approach? Personal & engaging.

Get in touch

Tel: 01293 440088

Membership enquiries, new and existing:
mandi@gatwickdiamondbusiness.com

Event information and booking:
events@gatwickdiamondbusiness.com

To ensure we give you the best experience on our website we use Cookies. You can change your cookie settings at any time. However, if you continue without changing your settings we will presume you are happy to receive all cookies on the gdb website. Continue