Why you need GDPR Representation
Article 27 of the GDPR requires organisations established solely outside the UK or the European Economic Area (EEA) that regularly process residents’ personal data from these territories to appoint a Representative that:
- Acts as the point of contact for data subjects and supervisory authorities; and
- Enables supervisory authorities to pursue enforcement actions within the territories
Now that the UK has left the EU, the following rules apply:
- Organisations without a presence in the UK and the EEA need separate representatives in both territories
- UK organisations need a Representative in the EEA
- EEA organisations need a Representative in the UK
This fact sheet explains which organisations must appoint a GDPR Representative for the EU and the UK.
WHAT THE GDPR REQUIRES OF A REPRESENTATIVE
Responsibilities

The Representative is required to:
- Co-operate with the supervisory authorities
- Facilitate communication between data subjects and your organisation
- Be readily accessible to data subjects in all relevant member states
- Maintain a Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR

Supervisory authorities can pursue enforcement actions through the Representative for the noncompliance of the organisation they represent
The Position

The Representative:
- Is appointed to represent data controllers or processors that are not established in the EU and/or the UK
- Must be established in one of the member states where the controller or processor’s data subjects reside
- Can be subject to enforcement proceedings for non-compliance by the controller or processor


The Representative can be a person or company, but with a lead contact assigned

The Representative appears on your privacy policy as the contact for EU data subjects and regulators
YOUR GDPR REPRESENTATIVE SHOULD WORK WITH YOU TO:
Set up your GDPR Representation

Ensure your privacy policy displays the Representative’s contact details

Understand your dataflows

Review previous gap analysis and impact assessments

Ensure adequate security measures are being taken to protect EU and UK residents’ data

Be aware of any previous breaches or non-compliance

Establish a copy of your Records of Processing Activities (RoPA)
Provide ongoing GDPR Representation

Maintain and update your RoPA on an ongoing basis

Translate and respond to queries from European and UK data protection authorities and data subjects

Log and (where appropriate) report breaches

Receive and log data subject rights requests and advise on suitable responses

Advise on data protection regulatory issues that impact your organisation