Last month we looked at one potential area of Brexit fall-out for UK businesses in the context of data protection, in relation to the transfer of personal data between the EEA and the UK. This month, we’ll look at the other – the requirements under both EU and UK law to appoint data protection representatives.
Under the EU GDPR, any business which offers goods or services to individuals in the EEA or which monitors the behaviour of such individuals, but which doesn’t have a physical presence within the EEA, must appoint a data protection “representative” within one of the EEA states in which some of those individuals are located.
Most businesses will know whether they are offering goods or services to potential customers in the EEA. However, what constitutes “monitoring the behaviour” of individuals in the EEA is a little less clear. One of the introductory paragraphs to the EU GDPR says that this can include tracking individuals on the internet, for example using their traffic and purchasing data to analyse or predict their personal preferences, behaviours and attitudes. This kind of activity is becoming ever more prevalent in the online sales market, through the use of ever more sophisticated cookies. There are two things that affected businesses might do in order to comply with these requirements:
A representative can be an individual or a corporate entity. The purpose of the role is to provide a liaison with data subjects and data protection authorities within the relevant jurisdiction. We work with a number of law firms around Europe who can offer this service if required. So if you’re in any doubt as to whether you need to appoint a data protection representative in Europe, please contact us.
As with the data transfer issues highlighted in our first article, the same rules apply in reverse, but this time with real effect. So any entity outside the UK, which doesn’t have a physical presence in the UK, must, under the UK GDPR, appoint a data protection representative in the UK if it offers goods or services to individuals in the UK or monitors the behaviour of individuals there. As of 1 January 2021, that includes any entity in Europe that doesn’t also have a base in the UK.
One consequence of this is that businesses based outside both the UK and the EEA, who had previously appointed a data protection representative in the EEA (whether in the UK because it was part of the EEA then, or elsewhere), will probably now have to appoint another representative, in whichever of the UK or the EEA they don’t now have covered. That will be the case if they are offering goods and services to, or monitoring the behaviour of, individuals in both the UK and the EEA.