8. März 2021
The turn of the year, with the Brexit transitional period ending, finally brought some clarity about the future of data flows between the EU and the UK. A (legally dubious, as not specifically permitted by the GDPR) interim agreement on transborder data flows has been part of the EU-UK Trade and Cooperation Agreement and grants another temporary respite for privacy professionals as well as lawmakers to prepare an adequacy decision. However, the obligations to appoint representatives under Articles 27 EU and UK GDPR fully apply to cross-border processing between the EEA and the UK since January 1, 2021.
The obligation to appoint an EU GDPR representative has an effect on a huge number of companies worldwide, with high fines for non-compliance. In a nutshell, it applies to almost any company falling into the extraterritorial scope of the EU which has no establishment in the European Union. Conversely, as the UK GDPR basically copy-pasted the requirement into British law, companies located in the EU and elsewhere now need representation in the United Kingdom.
Either way, businesses finding themselves in the scope of the EU / UK GDPR representative obligation should take immediate action, as no grace period has been announced by either authority. Fines for non-compliance are in the EUR 10mio tier in the EU and the GBP 8.7mio tier in the UK.
The scope of the new requirement to appoint a representative in the UK is linked to the extraterritorial scope of the UK GDPR pursuant to its ‘destination principle’ in Art. 3 (2), aiming at companies ‘with no offices, branches or other establishments in the UK’ but still active on the UK market. For an assessment of whether the company maintains an ‘establishment’, Recital 22 of the EU GDPR (requiring ‘the effective and real exercise of activity through stable arrangements’, irrespective of its legal form) as well as the ECJ rulings on Weltimmo and Google Spain may also be considered. Although the EU GDPR recitals and the ECJ case law do not allow interpretation of the independent British law from a strictly legal perspective, they still offer valuable guidance as the UK GDPR holistically follows the regulatory concept of its EU model.
A data controller without any establishment in the UK needs to check, first, if its data processing affects data subjects located in the UK, irrespective of their citizenship. Second, it has to consider if one of the two triggers under the ‘destination principle’ applies, which is the case if the data processing relates to either (a) the offering of goods or services, even if provided for free, to such data subjects in the UK, or (b) the monitoring of their behaviour as far as their behaviour takes place within the UK. Since the ICO has not yet issued independent guidance on the territorial scope of the UK GDPR, privacy professionals are advised to consult the related EDPB guidelines to check the business practices against the examples provided therein.
The exemption from the representative requirement under Art. 27 (2) will only apply to companies with unsystematic, non-sensitive personal data transfers between the EU to and UK. The EDPB assumes for the EU GDPR that it does not apply if, for example, transborder data flows occur as a part of the regular course of business. Also, the condition that the processing needs to be ’unlikely to result in a risk to the rights and freedoms of natural persons’ for the exemption to apply (one out of three that needs to be met simultaneously) narrows its scope strongly.
Data processors need to look into the business activities of the data controller, as well as at their own involvement in the particular data processing, which may trigger extraterritorial applicability of the GDPR. If, for example, a data controller makes use of analytics cloud solution (data processor) to collect and analyse personal data within the extraterritorial scope of the UK GDPR, the processor needs to appoint its own UK representative.
The data controller must include the name and contact details of its representative into its privacy policies (Art. 13 and 14 UK GDPR), allowing data subjects to contact the representative directly. The GDPR includes no detailed requirements on the contact channels to be offered. According to the EDPB guidelines on transparency, the information “should preferably allow for different forms of communications with the data controller (e.g. phone number, email, postal address, etc.)”.
Since January 1, as the United Kingdom became a third country under the EU GDPR without any further transition period, a UK company with active business ties to one or more EU member states (and no office locations on the ground) may need to appoint an EU GDPR representative. This is the case if its business activities fulfill one of the criteria for the ‘destination principle’ in Art. 3 (2), meaning that the any processing of personal data from data subjects located in the EU relates, again, to either (a) the offering of goods or services, even if provided for free, to such data subjects in the EU, or (b) the monitoring of their behaviour as far as their behaviour takes place within the EU.
The details of the scope of the requirement equal the situation under British law for EU companies, which is why you should also consider the guidance in the previous chapter on the UK representative. Yet, one important characteristic of the EU law should specifically be considered in the context of enforcement: as the EDPB assumes that non-EU controllers cannot benefit from the ‘lead authority principle’, companies may need to deal with various competent European data protection supervisory authorities, depending on where the affected data subjects are located.
Regarding data breach reporting under Art. 33 GDPR, however, British (as well as other third country) businesses without an establishment in the EU may submit breach notifications to the supervisory authority in the EU member state where the company’s representative is established, as the EDPB suggests in its guidelines on personal data breach notifications, thereby establishing a de-facto one stop shop with respect to breach notifications.
Although there are no substantial changes of the concepts of data protection regulation through the split of the EU and UK GDPR legal regime, companies originating from countries than other the United Kingdom or the European Union may also be affected by Brexit when it comes to GDPR representation. In detail,
The representative can be any natural or legal person established in the EU (or UK, respectively), such as law firms, private companies, individual residents, etc. The EDPB assumes that the role of a DPO, who needs to carry out its tasks in an independent manner, is incompatible with the role of a representative, who is generally bound to instructions by the data controller or processor. Aside from this potential conflict of interest, the EU as well as the UK GDPR state no minimum professional qualifications for the representative.
For the EU representative, the GDPR requires that it is established in one of the EU member states where data subjects concerned are located. The EDPB further recommends, as a non-binding “good practice”, to appoint a representative in the country where “a significant proportion” of the data subjects are.
The representative is mandated in writing to be (additionally or alternatively) addressed on behalf of the data controller or processor on all issues around GDPR compliance. Its primary task is to facilitate contact between the represented entity and the enquirer. In practice, the representative will receive requests from individuals exercising their data subject rights as well as administrative notifications from supervisory authorities. In addition, requirements from national data protection laws may apply.
The representative needs to maintain records of processing activities of the company it represents (Article 30 GDPR). Since the representative usually has no direct insight into the business processes of the company, practically speaking, the represented company needs to provide up-to-date copies of its records of processing activities to its representative. The EU as well as the UK GDPR allow for direct orders of competent supervisory authority against the representative to provide the documentation.
Apart from this, the represented company itself always remains fully liable for complying both with requests from supervisory authorities and data subjects. Moreover, the EDPB has clarified that authorities may not directly enforce against the representative, particularly when it comes to administrative fines. Although Recital 80 states that the representative “should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”, the wording of the GDPR itself does not allow for further liability of the representative.
From an organizational point of view, the representative should be able to fulfill its tasks in a reliable manner, as receipt of inquiries both from data subjects and supervisory authorities may cause severe legal risks for the represented company. Therefore, even though it is possible to simply appoint a vendor or customer located in the EU, it may be advisable to look out for specialized organizations with legal expertise and experience in GDPR compliance. A good representative will ensure timely provision of incoming inquiries and protect companies from legal risks by keeping an eye on deadlines and high-risk inquiries.
von mehreren Autoren