EU GDPR /UK Data Representative
23rd March 2022
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) requires that in certain circumstances entities which are not established in the EU appoint a “data representative”. The failure to appoint a data representative in circumstances where an entity is required to do so is a breach of GDPR.
What is a data representative?
The role of the data representative encompasses acting as a representative of the non-EU entity in the EU, acknowledging requests from data protection authorities in the EU, holding the entity’s Record of Processing Activity (“ROPA”) and where necessary, providing information to a data protection authority in the context of an investigation as well as supporting in the notification of a personal data breach should one occur.
When is a data representative required?
A data representative is required where, broadly, an entity who is not established in the EU processes personal data of EU data subjects and the processing activities are related to the offering of goods or services to EU data subjects or the processing involves the monitoring of the behaviour of EU data subjects as far as that behaviour takes place in the EU. The need to appoint a data representative also arises if an entity processes special categories of personal data.
Therefore, if an entity established outside the EU offers its goods or services to EU data subjects and processes personal data in connection with the offering of those goods or services a data representative may be required. In this context, it is worth bearing in mind that personal data under GDPR includes a broad array of information including not only names and addresses but even email addresses may be considered personal data and processing of personal data includes the storage of personal data.
What about the UK?
The requirements to appoint a data representative are also present in the UK under very much same conditions as they are in the EU. In other words, an entity who is not established in the UK but processes personal data of UK data subjects and the processing activities are related to the offering of goods or services to UK data subjects or the processing involves the monitoring of the behaviour of UK data subjects may be required to appoint a UK data representative. The role of the UK data representative is substantially the same as that of the EU data representative.
How can Zeidler Group assist?
Zeidler Group can act both as EU and UK data representative. For more information or to discuss whether you may be required to appoint either a EU or UK data representative, please do not hesitate to contact us.