What Is a UK Representative and Why Do You Need One?

Natacha has held a number senior positions at the Foreign Office, including as Deputy Ambassador UK Representative for China and Director for Economic Diplomacy and Emerging Powers. She has also worked in global trade policy and international issues.

Companies that are located outside of the UK are bound by UK privacy legislation. They must designate a representative in the UK to serve as their point of contact for data subjects and the ICO.

What is an UK representative?

The UK Representative is a person, company or organisation that has been mandated by a controller or processor of data to act in their behalf on all matters relating to GDPR compliance. They will be the primary contact for any queries from data subjects exercising their rights, or for requests from supervisory authorities and may be subject to national requirements that have been enacted in the context of GDPR's extraterritorial scope (see the UK case Rondon v LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of a representative. This requirement is applicable to all organizations that do not have a permanent presence in the United Kingdom but offer goods or services, or monitor the behavior of individuals located there or who handle personal data. The representative must be able to provide proof of their identity as well as that they are able of representing the data controller or processor in relation to the UK GDPR's requirements.

The representative must also be able communicate with authorities if there's a breach. The Representative must notify the supervisory authority who appointed them regardless of whether the breach affects data subjects in multiple jurisdictions.

It is recommended that the Representative has experience of working with both European and UK-based data protection authorities. It is also important that they have local language skills because they are likely to receive contact from both individuals and data protection authorities in the countries in which they work.

The EDPB says that the Representative is responsible for non-compliance. However, the UK case of Rondon v. LexisNexis UK Ltd. (2019) EWHC1427 has confirmed that a representative is not able to be sued by a person who believes that the controller of the data has failed to meet the GDPR requirements in the UK. The court found that the Representative was not in direct connection with the data processing activities of the represented entity.

Who needs to appoint a UK Representative?

In order to comply with the EU GDPR, businesses outside of the EU that market their products or services to European citizens but do not have an office, branch or establishment in the EU must appoint an EU Representative. This is in addition to requirements from national laws on data protection. The role of a Representative is to serve as the local point of contact for individuals and supervisory authorities with respect to GDPR compliance issues.

The UK has an identical requirement to that of the EU that is described in Article 27 of UK-GDPR. The threshold is the same as that of the EU requirement: any company that offers goods or services in the UK, or monitoring the conduct of individuals who are data subjects, must designate an UK representative.

Under the UK-GDPR, a Representative must be appointed in writing "to be, additionally or alternatively addressed, on behalf of the controller or processor by the data subjects and the British Information Commissioner's Office[British Information Commissioner's Office]". They are not permitted to be personally accountable for compliance with the GDPR. They must however cooperate with supervisory authorities in formal proceedings, and receive notifications from individuals who exercise their rights. ).

Representatives must be located in the state of the European Union in which the individuals whose personal information is processed reside. This is not a simple decision and requires an extensive legal and business analysis to determine the right location for an organization. We offer a dedicated service to help companies evaluate their needs and select the most appropriate representative location.

It is also recommended that Representatives have experience interacting with supervisory authority as well as handling data subject inquiries. Language skills in the local language can also be essential, as the role may involve dealing with inquiries by supervisory authority or data subjects in multiple countries throughout Europe.

The identity of the representative must be disclosed to individuals who are the data subjects via privacy policies and other information that is provided prior to the collection of data (see article 13 UK-GDPR). The UK Representative's contact information should also be made available on your website, allowing the authorities in charge of supervision easy access to get in touch with them.

When is the best time to designate an UK Representative?

If your business is based outside of the UK offers goods or services to customers who reside in the UK or monitors their behaviour it is possible to select the position of a UK Representative. The UK's Applied EU GDPR regime applies for established entities outside the UK which are operating in the UK. It has the same extraterritorial scope as EU GDPR, but with a few exceptions. It is recommended that you take our free self-assessment how to become an avon representative see whether you are subject to this obligation.

A Representative is mandated by the appointing entity in an agreement to represent the entity in relation to specific obligations under UK and EU GDPR if applicable. In the UK the primary goal of this is to facilitate communication between the appointing party and the Information Commissioner's Office (ICO) or any other affected data subjects in the UK. A Representative could be an individual or a company with a UK base. The body that appoints them must inform the data subjects that the Representative will be processing their personal information and ensure that the identity of the individual or business is readily available to supervisory authorities.

The entity that is appointing the representative must provide the contact details of its representative to the ICO and data subjects affected in the UK in conformity with Article 13 and 14 of UK GDPR. It must make it clear that the job of a Representative is different from and not compatible with the duties of the role of a Data Protection Officer ("DPO") which requires a certain degree of autonomy and independence that cannot be provided by a representative.

If you have to appoint an UK representative It is advised to do so as quickly as you can. This is because this obligation is either immediately following Brexit (if it is a "hard" or "no deal" Brexit) or following an implementation period (if it's a "soft" or "with deal". There is no grace period.

What are the requirements to become a UK representative?

Under the UK laws on data protection (and specifically article 27 of the UK GDPR) A representative is an individual or a company that is "designated in writing" by an entity that does not have a presence in the UK but is subject to the rules of the law. The UK representative should be able to represent an entity with respect to its obligations under law. The contact information of the representative should be readily accessible to UK residents whose personal data are being processed by a non-UK business.

The UK Representative must be an overseas senior employee of a media or business company and has been recruited and employed as an employee by the business or media organization outside of the UK. The person applying for the visa must intend to be full-time employed as the UK representative for the media or business organization, and they are not allowed to engage in any other business ventures in the UK.

Additionally, the visa applicant must prove that they have the necessary skills and experience to fulfill their role as UK Representative, which will include acting as local contact for inquiries from data subjects and UK authorities for data protection. This is to ensure that the UK Representative is knowledgeable of and expertise in the UK data protection laws, and is able to respond to requests from individuals exercising their rights under the law and any other inquiries or requests received from authorities dealing with data protection.

As the Brexit process continues it is likely that the UK data protection laws will evolve over time. At the moment, it is expected that companies from outside the UK who do business in the UK and process personal data of individuals in the UK will be required to appoint a UK representative.

This is because article 27 of the GDPR law in the UK which was enacted as an UK national law, requires companies without having a presence in the UK to appoint the position of a UK data protection representative. If you are not sure whether you are required to nominate a UK data protection representative It is suggested that you speak to an experienced legal advisor.