GDPR and Brexit - PDT Solicitors ask - Will your business need to appoint a “representative”?
Published: 02 Apr 2019
The UK will cease to be part of the European Union on 12 April 2019 in the absence of a “deal” to further extend the deadline. One implication of this is that businesses which hold, obtain or use data about EU citizens after the 12th may have to formally appoint a “representative” within the EU for data protection purposes.
The representative is not intended to simply be a “postbox”. It will act as an agent and point of contact for all data protection matters, whether with individual citizens or data protection regulators, and must maintain records of the uses an organisation makes of EU citizens’ data. The representative can be a company or an individual, but it must be mentioned in the privacy information that organisations make available to EU citizens.
If your business is required to appoint a representative and does not, action by a European data protection regulator could cause interruption to your business or result in legal action being taken against you.
Who must appoint a representative?
Any non-EU business or organisation which systematically deals with EU citizens or uses data about EU citizens after Brexit is likely to continue to be subject to the General Data Protection Regulation (“GDPR”) and will likely be required to appoint a representative.
Technically, non-EU organisations are subject to GDPR if they obtain or make any use of EU citizens’ personal data, either in connection with offering “goods and services” to them (including free services) or “monitoring their behaviour”.
A representative is not required if the organisation already has an “establishment” within the EU (meaning it is already subject to EU laws) or if it meets a limited set of exemptions.
What is “offering goods and services”?
The business or organisation must “envisage” providing goods or services to EU citizens. The fact that EU citizens can access a website or otherwise identify the provider may not be enough to make an organisation subject to GDPR, but evidence that EU citizens are intended to be able to receive goods or services is likely to be sufficient.
What is meant by the term “monitoring their behaviour”?
“Monitoring” will not result from routine online collection or analysis of personal data (for example, website analytics) or occasional contacts with persons within the EU. However, any focused or deliberate analysis of EU citizens, including via behavioural advertising/marketing, conducting surveys, or conducting statistical analyses of personal data – whether for the business or organisation’s own purposes or those of another – is likely to amount to “monitoring”.
What steps should I take?
Organisations which use EU citizens’ data need to decide whether they will be subject to GDPR after “Brexit” as a result of offering goods/services or monitoring behaviour - and, if so, whether any exemptions in Article 27 allow them to avoid appointing a representative.
If a representative is required, it must be appointed by the “Brexit” date and must be able to fulfil its functions, including having access to all necessary records, by that date.
If you have any questions or would like to know more about how we may help you please visit https://www.pdt.co.uk/