ARTICLE 27 GDPR REPRESENTATION
Article 27 of the GDPR
Article 27 of the GDPR requires organisations outside the European Economic Area (EEA), that process EEA residents’ data to appoint a Representative providing that processing:
- Is on a large scale or includes special categories of data
- Is not occasional and is likely to result in a risk to the rights and freedoms of the data subject
The Representative must act as the first point of contact for both EEA residents and GDPR supervisory authorities throughout the EU.
This page explains the impact of Brexit on the UK after the Transition Period.
THE IMPACT OF BREXIT
When the UK was a member of the EU, non-EEA organisations could appoint a single representative to cover both the UK and the rest of the EU member states. This arrangement continued throughout the transition period as the UK and the EU negotiate the UK’s withdrawal.
After the Transition Period
After 31st December 2020, at the end of the transition period, the UK Government’s current position is that data controllers or processors located outside the UK that process the personal data of UK residents need to appoint a UK Representative.
EU law continues to require organisations based outside the EEA (including the UK) that process data on EU residents, to have an EU Representative. If an organisation processes personal data of data subjects residing in a limited number of EU states, then its Representative should have a presence in one of those states.
BREXIT BREAKDOWN – WHAT DOES THIS MEAN?
| DURING THE TRANSITION PERIOD | AFTER THE TRANSITION PERIOD | |
| Business as usual | UK GDPR currently | |
| Non EEA organisations require | ||
| EU representative Including UK (as current) | ✓ | |
| EU Representative based in the EU | ✓ | |
| UK Representative based in UK | ✓ | |
| UK organisations require | ||
| No representation (as current) | ✓ | |
| EU Representative based in the EU | ✓ | |
| Remaining continental EU organisations require | ||
| No representation (as current) | ✓ | |
| UK Representative based in UK | ✓ |
COUNTRIES ADOPTING THE GDPR
The GDPR is an EU regulation that is enforced throughout the European member states. The ultimate arbiter of the legislation is the Court of Justice of the European Union (CJEU) based in Luxembourg.
The GDPR has also been adopted by members of the European Economic Area and Switzerland although the CJEU is not the ultimate arbiter in these cases. Following the Brexit transition period, the UK Supreme Court is ultimately responsible for interpreting the UK GDPR.
27 EU members
Other EEA members
Other single
market members
ADEQUACY
Under Article 45 of the GDPR, a third country can be deemed “adequate” by the European Commission if its levels of data protection are essentially equivalent to those provided in the EU
through the GDPR.
If a country is deemed adequate, then cross-border data transfers to organisations within that country can be conducted without further safeguards or controls.
There is a defined process for making adequacy decisions so adequacy cannot be granted immediately.
Adequate countries
Following the transition period, the EU Commission granted the UK adequacy. Following Brexit, the UK can now make its own adequacy rulings (‘adequacy regulations’). At present, the UK has granted adequacy to the same countries as the EU, as well as the EU itself, but this may change in the future.
Representation requirements are independent of adequacy.
Representation is required to ensure a local point of contact both for data subjects and the supervisory authority. If an organisation processes the personal data of data subjects residing in a limited number of EU states then its representative must have a presence in one of those states.
ENQUIRE TODAY
Fill in your details below and we’ll get back to you as soon as possible