Appointing EU Representatives: What, Why, When, How?

Last updated, 19 January 2021, 3:00pm

After Brexit, UK organisations doing business in the EU will need to comply with both UK and EU data protection law, in the guise of “UK GDPR” and “EU GDPR” respectively.The EU GDPR requires you to appoint a representative in the EU if you do not have a presence there.The following information sets out some key considerations about appointing an EU Representative for your organisation:

What is an EU Representative, and why might we need one?

The EU GDPR requires you to appoint a representative in the EU if you do not have a presence there.An EU Representative is your organisation's contact point for individuals and data authorities in the EU, in relation to EU GDPR matters.If your business does not have an EU establishment (such as an office or a branch), but you:(i) offer goods and services into the EU; or(ii) monitor the behaviour of persons in the EU following the Brexit transition period,you should therefore consider appointing an EU representative.There are few exceptions to this rule (for example, where your organisation is a public authority, or where your data processing is low risk or occasional).


When should we appoint an EU Representative?

You should consider appointing an EU Representative before you offer goods or services into the EU or monitor the behaviour of persons in the EU.


How should we appoint an EU Representative?

If you need to appoint an EU Representative, you should consider the following:The EU Representative can be an individual, or a company or organisation established in the EEA.

  1. The EU Representative must be able to represent your organisation regarding its obligations under the EU GDPR. The EU Representative must be capable of ensuring your organisation complies with the EU GDPR by enabling communication with individuals and data protection authorities in the EU.
  2. Your appointment of an EU Representative must be in writing and should set out the terms of your relationship with them. You can do this by entering into a service contract with the EU Representative you wish to appoint.
  3. Once you have appointed an EU Representative, you should make their details publicly available. You can do this by updating your privacy notices to reflect the appointment of the EU Representative, and ensuring that the notices are publicly accessible.
  4. Appointing an EU Representative does not get you off the GDPR's hook! The EU Representative may be subject to enforcement actions by data authorities in the EU, but your organisation will remain liable for any breaches of EU GDPR.

What if you are an EU business located outside the UK?

The situation is likely to be similar to the above, but in reverse.The UK Government's intention is that EU businesses without an establishment in the UK will need to appoint a “UK Representative” where they: (i) offer goods and services; or (ii) monitor the behaviour of persons in the UK.


How can Freeths help?

We have a team of specialist Data and Information lawyers who can guide you through this process. Examples of how we can support your organisation include:

  • Advising on whether you need to appoint an EU Representative
  • Helping you select a suitable EU Representative
  • Drafting and negotiating service contracts with your chosen EU Representative
  • Drafting amendments to your privacy notices to reflect your appointment of the EU Representative

Head to our Brexit Exchange where you will find all the latest updates and developments from our experts, regarding Brexit and how that affects businesses and individuals in a range of areas.

 

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.