Why you need GDPR Representation

Article 27 of the GDPR requires organisations established solely outside the UK or the European Economic Area (EEA) that regularly process residents’ personal data from these territories to appoint a Representative that:

  • Acts as the point of contact for data subjects and supervisory authorities; and
  • Enables supervisory authorities to pursue enforcement actions within the territories

 

During the transition period, it will be “business as usual” while the UK and the EU negotiate the UK’s withdrawal. It is not yet clear how these negotiations will impact the requirements around representation thereafter.

The UK Government’s current position is that both UK and EU representation will be needed after December 2020. In this case:

  • Organisations without a presence in the UK and the EEA will then need separate representatives in both territories
  • UK organisations will need a Representative in the EEA
  • EEA organisations will need a Representative in the UK

This fact sheet explains which organisations must appoint GDPR Representatives for the EU and the UK.

WHAT THE GDPR REQUIRES OF A REPRESENTATIVE

Responsibilities

tick
The Representative is required to:

  • Co-operate with the supervisory authorities
  • Facilitate communication between data subjects and your organisation
  • Be readily accessible to data subjects in all relevant member states
  • Maintain a Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR

tick
Supervisory authorities can pursue enforcement actions through the Representative for the noncompliance of the organisation they represent

The Position

tick
The Representative:

  • Is appointed to represent data controllers or processors that are not established in the EU and/or the UK
  • Must be established in one of the member states where the controller or processor’s data subjects reside
  • Can be subject to enforcement proceedings for non-compliance by the controller or processor

Representation for Non-EU Data Controllers - GDPR DPO Services
tick
The Representative can be a person or company, but with a lead contact assigned
tick
The Representative appears on your privacy policy as the contact for EU data subjects and regulators

YOUR GDPR REPRESENTATIVE SHOULD WORK WITH YOU TO:

Set up your GDPR Representation

tick
Ensure your privacy policy displays the Representative’s contact details
tick
Understand your dataflows
tick
Review previous gap analysis and impact assessments
tick
Ensure adequate security measures are being taken to protect EU and UK residents’ data
tick
Be aware of any previous breaches or non-compliance
tick
Establish a copy of your Records of Processing Activities (RoPA)

Provide ongoing GDPR Representation

tick
Maintain and update your RoPA on an ongoing basis
tick
Translate and respond to queries from European and UK data protection authorities and data subjects
tick
Log and (where appropriate) report breaches
tick
Receive and log data subject rights requests and advise on suitable responses
tick
Advise on data protection regulatory issues that impact your organisation

WANT TO FIND OUT MORE? ENQUIRE BELOW

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

 

Email Call

Sign up todayThe DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues. It’s not the full story, just a brisk, 3-minute resumé, collated and condensed especially for busy privacy professionals to ensure you’re aware of what’s happening in our fascinating, dynamic and engaging industry.