ARTICLE 27 GDPR REPRESENTATION PUT YOUR BREXIT PLAN IN PLACE NOW

Article 27 of the GDPR

Article 27 of the GDPR requires organisations outside the European Economic Area (EEA), that process EEA residents’ data to appoint a Representative providing that processing:

  • Is on a large scale or includes special categories of data
  • Is not occasional and is likely to result in a risk to the rights and freedoms of the data subject

 

The Representative must act as the first point of contact for both EEA residents and GDPR supervisory authorities throughout the EU.

This page explains the impact of Brexit on GDPR and what happens in both cases of remain & leave. 

THE IMPACT OF BREXIT

Whilst the UK is a member of the EU, then non-EEA organisations can appoint a single representative to cover both the UK and the rest of the EU member states.

Post Brexit

Post Brexit, UK law will require controllers or processors located outside the UK that process personal data on UK citizens to appoint a UK representative.

EU law will continue to require organisations based outside the EEA and processing data on EU residents, including a post Brexit UK, to appoint an EU representative.

If an organisation processes personal data of data subjects residing in a limited number of EU states then its representative should have a presence in one of those states.

Plan to put your representation structures in place now, so they are effective immediately upon Brexit

BREXIT BREAKDOWN – WHAT DOES THIS MEAN?

    REMAIN   LEAVE
    UK Remains in the EU   UK leaves the EU
Non EEA organisations require
EU representative Including UK (as current)
EU Representative based in the EU                  
UK Representative based in UK                    
UK organisations require                  
No representation (as current)
EU Representative based in the EU
Remaining continental EU organisations require
No representation (as current)
UK Representative based in UK

THE DPO CENTRE PLEDGE – NO BREXIT NO UK FEE

Put your EU and UK representation requirements in place with The DPO Centre straightaway and we will

tick
Put an agreement in place that covers all eventualities
tick
Only charge the fee relevant to the eventual outcome
tick
Cancel the UK representation contract if Brexit is reversed

COUNTRIES ADOPTING THE GDPR

The GDPR is an EU regulation that is enforced throughout the 28 European member states. The ultimate arbiter of the legislation is the Court of Justice of the European union (CJEU) based in Luxembourg.

The GDPR has also been adopted by members of the European Economic Area and Switzerland.

flags

28 EU members

tick
Austria
tick
Belgium
tick
Bulgaria
tick
Croatia
tick
Republic of Cyprus
tick
Czech Republic
tick
Denmark
tick
Estonia
tick
Finland
tick
France
tick
Germany
tick
Greece
tick
Hungary
tick
Ireland
tick
Italy
tick
Latvia
tick
Lithuania
tick
Luxembourg
tick
Malta
tick
Netherlands
tick
Poland
tick
Portugal
tick
Romania
tick
Sovakia
tick
Slovenia
tick
Spain
tick
Sweden
tick
United Kingdom

Other EEA members

tick
Iceland
tick
Liechtenstein
tick
Norway

Other single
market members

tick
Switzerland

ADEQUACY

Under Article 45 of the GDPR, a third country can be deemed “adequate” by the European Commission if its levels of data protection are essentially equivalent to those provided in the EU through the GDPR.

If a country is deemed adequate, then cross-border data transfers to organisations within that country can be conducted without further safeguards or controls.

There is a defined process for making adequacy decisions and adequacy cannot be granted immediately.

Adequate countries

tick
Andorra
tick
Argentina
tick
Canada
tick
Faroe Islands
tick
Guernsey
tick
Israel
tick
Isle of Man
tick
Japan
tick
Jersey
tick
New Zealand
tick
Switzerland
tick
Uruguay
tick
USA (Privacy Shield)

Representation requirements are independent of adequacy.

Representation is required to ensure a local point of contact both for data subjects and the supervisory authority. If an organisation processes the personal data of data subjects residing in a limited number of EU states then its representative must have a presence in one of those states.

pdf

Download a PDF version of this fact sheet here.

Click one of the options below to speak to us about our Data Protection Services

 

Email Call Contact Form