Navigating the complexities of data protection regulations can be challenging, especially for organisations and businesses operating across borders.
The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) specifies that organisations located outside the EU, without an establishment in the region, must designate a Representative if processing the personal dataInformation which relates to an identified or identifiable natural person. of EU residents. The UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. has the same requisite for organisations processing the personal data of UK residents.
This is a requirement for both data controllers and processors.
A controller is defined as a person or organisation that determines the means and purpose of processingA specified, explicit and legitimate rationale for the processing of personal data. personal data. A processor is a person or organisation that processes personal data only under the instructions of the controller.
In this blog, we help you understand whether your organisation needs an EU or UK GDPR Representative, or possibly both. Whether you are a data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. or processor, we answer some of the key questions frequently asked by businesses across the spectrum of industry sectors and sizes.
A GDPR Representative is a person or organisation appointed to represent a controller or processor that handles the personal data of EU or UK residents and is located outside those territories.
There are two types of GDPR Representatives:
EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). Representative: Required if you are a data controller or processor located outside the EU and offer goods or services to, or monitor the behaviour of, EU residents.
UK GDPR Representative: Required if you are a data controller or processor located outside the UK and offer goods or services to, or monitor the behaviour of, UK residents.
Representatives act as a point of contact for EU and UK-based individuals who want to exercise their data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling., and regulatory authorities that have queries about the data processing activities.
EXAMPLE: If an individual living in the EU wants to know what personal data a company in the US has stored about them (a right known as a Data Subject Access RequestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. or DSAR), they would contact the company’s EU GDPR representative. The Representative would action this request and make sure the individual receives the information they are entitled to under data protection laws.
This will depend on each individual situation, whether the type of processing and volume of data is deemed ‘occasional’, and whether an organisation is offering goods or services to EU or UK residents.
Generally, if data processing is occasional, and of low risk to the data protection rights of individuals and does not involve the large-scale use of special category or criminal offense data, you will not need to appoint a GDPR Representative.
EXAMPLE 1: A US medical device company sells goods to US customers. The company does not currently have any marketing activities within EU markets. However, they have acquired single EU customer. The personal data processing for this single customer would be deemed occasional as it is a one-off and will not occur on a regular basis, or only on a limited scale. In this situation, the company would not need an EU GDPR Representative.
EXAMPLE 2: A Canadian tech company sells software predominantly to North American customers and is expanding the business by advertising to EU and UK markets. The volume of EU and UK personal data processing is low, compared to the rest of the business. However, the company is specifically targeting EU and UK residents and offering goods and services as part of the business function. The company here would require both an EU and UK GDPR Representative.
It is important to note that even occasional processing of EU or UK personal data must still comply with the GDPR. This includes having a lawful basis for processing personal data and taking appropriate data security measures.
Pseudonymisation is a useful security technique to make it more difficult to identify individuals.
Pseudonymised data, sometimes known as coded data, is personal data that has been changed to prevent easy identification of a person without additional information. For example, names are replaced with aliases, addresses for regions, dates of birth with age ranges, etc. However, not all of these alterations need to be completed for data to be considered pseudonymised, and it will depend on the specific database. Any data that can relate to a particular individual should be altered if needed.
EXAMPLE: A life sciences organisation in the US is a sponsor for a clinical trial in the EU. The trial participants’ data are pseudonymised for safeguarding and security. As EU residents’ personal data is being processed, the sponsor must comply with the GDPR. Under the GDPR, pseudonymisation does not change the status of personal data as it remains ‘indirectly identifiable’.
Therefore, as the trial is designed specifically for EU participant data, and the data will be processed outside the EU, the organisation must appoint an EU GDPR Representative, unless they have an appropriate establishment within the EU. Even if the organisation has a data protection officer (DPO), they will still need a GDPR Representative, as the roles hold different functions (as explained later, in question 7).
If your organisation processes both EU and UK personal data and does not have a branch, office or other establishment in any EU, EEA or UK region, you may need to appoint both an EU and a UK GDPR Representative.
EXAMPLE: A lead generationA marketing process of attracting potential customers and generating interest in a business’s products or services. company in Singapore targets EU and UK residents with a number of digital marketing campaigns. They collect, use and processA series of actions or steps taken in order to achieve a particular end. various types of personal data including names, emails, phone numbers and addresses. As the company does not have a suitable establishment within either the EU or the UK, to comply with the GDPR, they would need to appoint both an EU and UK GDPR Representative as a point of contact.
It is important to note that as the UK has completely separated from the EU, it is considered a different jurisdiction for data processing.
UK organisations without an office or branch in the EU that process EU residents’ personal data will need to appoint an EU GDPR Representative. Likewise, EU organisations that do not have an office or branch in the UK and process UK residents’ data need to appoint a UK GDPR Representative.
The main qualifying factor for the requirement of a GDPR Representative is whether the company processes the personal data of EU or UK residents and is located outside these areas.
Other factors include the type of processing, the volume of data and whether it is considered large scale. The size of the company is not of primary importance, but the volume and type of data processing are.
There isn’t a specific volume of data that triggers the need for a GDPR Representative, rather the volume relative to the size of the normal amount of processing. This can vary, depending on the industry sector.
EXAMPLE: A small tech company in China sells various apps to their main customer base in the UK. They want to enter the EU market and have several online marketing campaigns to attract more customers. The company processes names, addresses, and payment information. As an exercise appAn application, downloaded by a user to a mobile or other device., it also captures and stores health information. The company does not have an office or branch in either the EU or UK, but they currently have a UK GDPR Representative. They will now also need to appoint an EU GDPR Representative to act as a point of contact for EU authorities and customers.
Special category data refers to a particular type of personal data that is considered more sensitive and requires higher levels of protection.
It is important to note that when it comes to handling special category data, like health records or clinical trial information, it is often necessary to appoint a GDPR Representative. This is usually because the processing involves large amounts of sensitive information.
However, according to Article 27 (2)(a) of the GDPR, if a non-EU/UK company processes EU/UK residents’ personal data infrequently, and this processing does not involve large volumes of sensitive data and is unlikely to pose a risk to the rights and freedoms of individuals, then the company is not obliged to appoint a GDPR Representative. This provision is significant for smaller or less data-intensive non-EU/UK organisations, as it reduces their compliance burden under the GDPR.
Controllers and processors need to appoint a GDPR Representative if they are located outside these regions and process the personal data of EU or UK residents.
If both the controller and processor are located outside the EU or UK, they will both need to appoint a suitable GDPR Representative.
EXAMPLE: A tech company in the US provides data analysis for another US tech company, who sells marketing services to an insurance company in the Netherlands. Both tech companies are processing the data of EU residents. Therefore, under the GDPR, both companies will need to appoint an EU GDPR Representative. As the insurance company is based in the EU, they do not need to appoint one.
It is important to note that a mechanism such as standard contractual clausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) is required for international data transfers between controllers and processors, along with the necessary transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. risk assessment (TRA) or transfer impact assessment (TIA).
Read about SCCs for data transfers
A GDPR Representative and Data Protection Officer (DPO) have distinct roles.
Data protection officers work internally within organisations to inform, advise and monitor compliance with the GDPR.
GDPR Representatives act on behalf of companies not based in the EU or UK and facilitate external communications as required. They are the official point of contact for data subjects and supervisory authorities and should communicate in the language of the request.
The two roles can collaborate to ensure that data protection practices are effective and aligned with regulatory requirements.
EXAMPLE: A UK-based insurance company sells products to customers in the UK and EU. The company has a DPO and an EU GDPR Representative. The DPO is responsible for monitoring and managing compliance with UK GDPR and EU GDPR, advising on data protection obligations and acting as a point of contact for UK data subjects and the UK’s Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.). The EU GDPR Representative is the local point of contact for EU data subjects and each of the EU supervisory authorities. They handle any inquiries or complaints from EU customers and EU data protection authorities, and relay these to the DPO, liaising as required. The DPO advises the company on how to handle any EU inquiries to ensure compliance with EU GDPR. The two roles are distinct and separate, although they work together when needed to ensure the company is compliant when processing EU personal data and no conflict of interest is created.
In this example, the company has both a DPO and a GDPR Representative. For companies that do not have a DPO, the GDPR Representative would relay any inquiries or complaints from customers and data protection authorities directly to the company.
A GDPR Representative acts as a point of contact for data subjects and data protection authorities. There are two types – an EU GDPR Representative and a UK GDPR Representative.
The requirement for an EU or UK GDPR Representative is the same for both data controllers and data processors that handle the personal data of EU or UK residents, respectively, and does not depend upon the size of the organisation, but more the volume of data processing.
To summarise, a GDPR Representative will be required if:
If your business is based outside the EU and you process the data of EU residents, you will need an EU GDPR Representative, unless you have a local establishment. The same applies if your business is based outside the UK and you process UK residents’ data – you will need a UK GDPR Representative.
We have worked with over 800 clients globally across the spectrum of industry sectors, supporting their data protection compliance and bringing peace of mind.
If you’d like to discuss how we can help your company, please contact us by filling in the form below.
For more news and insights about data protection follow The DPO Centre on LinkedIn
Here’s some previous blogs on additional topics you might find helpful:
Fill in your details below and we’ll get back to you as soon as possible