ARTICLE 27 GDPR REPRESENTATION PUT YOUR BREXIT PLAN IN PLACE NOW

Article 27 of the GDPR

Article 27 of the GDPR requires organisations outside the European Economic Area (EEA), that process EEA residents’ data to appoint a Representative providing that processing:

  • Is on a large scale or includes special categories of data
  • Is not occasional and is likely to result in a risk to the rights and freedoms of the data subject

 

The Representative must act as the first point of contact for both EEA residents and GDPR supervisory authorities throughout the EU.

This page explains the impact of Brexit on GDPR and what happens after the Transition Period. 

THE IMPACT OF BREXIT

When the UK was a member of the EU, non-EEA organisations could appoint a single representative to cover both the UK and the rest of the EU member states. This arrangement will continue throughout the transition period as the UK and the EU negotiate the UK’s withdrawal.

After the Transition Period

After 31st December 2020, at the end of the transition period, the UK Government’s current position is that data controllers or processors located outside the UK that process the personal data of UK citizens will need to appoint a UK Representative.

EU law will continue to require organisations based outside the EEA (including the UK) that process data on EU residents, to have an EU Representative. If an organisation processes personal data of data subjects residing in a limited number of EU states, then its Representative should have a presence in one of those states.

This position may change during the transition period negotiations but probably represents the most likely outcome.

BREXIT BREAKDOWN – WHAT DOES THIS MEAN?

    DURING THE TRANSITION PERIOD   AFTER THE TRANSITION PERIOD
Business as usual Expected outcome currently
Non EEA organisations require
EU representative Including UK (as current)
EU Representative based in the EU                  
UK Representative based in UK                    
UK organisations require                  
No representation (as current)
EU Representative based in the EU
Remaining continental EU organisations require
No representation (as current)
UK Representative based in UK

COUNTRIES ADOPTING THE GDPR

The GDPR is an EU regulation that is enforced throughout the European member states. The ultimate arbiter of the legislation is the Court of Justice of the European Union (CJEU) based in Luxembourg.

The GDPR has also been adopted by members of the European Economic Area and Switzerland although the CJEU is not the ultimate arbiter in these cases. After the Brexit transition period the UK Supreme Court will be ultimately responsible for interpreting the UK GDPR.

flags

27 EU members

tick
Austria
tick
Belgium
tick
Bulgaria
tick
Croatia
tick
Republic of Cyprus
tick
Czech Republic
tick
Denmark
tick
Estonia
tick
Finland
tick
France
tick
Germany
tick
Greece
tick
Hungary
tick
Ireland
tick
Italy
tick
Latvia
tick
Lithuania
tick
Luxembourg
tick
Malta
tick
Netherlands
tick
Poland
tick
Portugal
tick
Romania
tick
Sovakia
tick
Slovenia
tick
Spain
tick
Sweden

Other Countries

tick
United Kingdom

Other EEA members

tick
Iceland
tick
Liechtenstein
tick
Norway

Other single
market members

tick
Switzerland

ADEQUACY

Under Article 45 of the GDPR, a third country can be deemed “adequate” by the European Commission if its levels of data protection are essentially equivalent to those provided in the EU
through the GDPR.

If a country is deemed adequate, then cross-border data transfers to organisations within that country can be conducted without further safeguards or controls.

There is a defined process for making adequacy decisions so adequacy cannot be granted immediately.

Adequate countries

tick
Andorra
tick
Argentina
tick
Canada
tick
Faroe Islands
tick
Guernsey
tick
Israel
tick
Isle of Man
tick
Japan
tick
Jersey
tick
New Zealand
tick
Switzerland
tick
Uruguay
tick
USA (Privacy Shield)

Whether or not the EU considers the United Kingdom to be adequate at the end of the transition period will be determined during the withdrawal negotiations.

Representation requirements are independent of adequacy.

Representation is required to ensure a local point of contact both for data subjects and the supervisory authority. If an organisation processes the personal data of data subjects residing in a limited number of EU states then its representative must have a presence in one of those states.

pdf

Download a PDF version of this fact sheet here.

ENQUIRE TODAY

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

 

Email Call