Get in touch
If you have any questions relating to this article or have any commercial legal matters you would like to discuss, please contact Amir on [email protected]
Insight
Don't forget about the Article 27 representative
Organisations that supply into the UK and/or the EU but have no footprint in those markets should carefully assess whether they need to appoint a representative to comply with the GDPR and UK data protection law. Failure to appoint a representative where one is required could expose overseas businesses to a substantial fine and reputational damage.
Does my organisation need a representative?
If your organisation is established outside the EU and supplies goods or services into the EU then you need to appoint an EU representative. The same principle applies in a UK context where an organisation makes supplies into the UK but has no establishment in the UK. These requirements apply to controllers and processors.
Overseas businesses that have no footprint in the UK or the EU and supply into both markets will need a UK representative and an EU representative.
What is the role of a representative?
A representative acts as a local point of contact for the entity it represents and can communicate on its behalf with data protection authorities and data subject. The core functions of a representative include:
- understanding an organisation’s processing activities
- maintaining records of processing activities
- cooperating and providing information to data protection authorities
A representative may be a company or an individual but their appointment must be in writing.
What liability does a representative have?
Whilst a representative is accountable for any violation of its obligations under data protection law, the appointment does not create ‘representative liability’, as the High Court ruled in Rondon v LexisNexis Risk Solutions UK Ltd. In its decision the court reasoned that a representative would not be directly liable for a breach by the entity it represents. The decision applied in the context of an EU representative but reflects the view of the ICO on the subject and so it should also apply in a UK context.
What are the risks?
Failing to appoint an EU representative could expose your organisation to a fine of up to €10 million or 2% of your organisation’s total worldwide annual revenue. Expect similar fines for a failure under UK data protection law.
There are indications of increased activity from data protection authorities in this space. On 12 May 2021, non-EU based website provider ‘Locatefamily.com’ was fined €525,000 by the Dutch Data Protection Authority for its failure to appoint an EU representative. The fine sends a strong signal to overseas business that they must take the requirement to appoint a representative very seriously.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.
Share:
Related Insights
Related Insights
Insights
Stay ahead with the latest from Boyes Turner
Sign up to receive the latest news on areas of interest to you. We can tailor the information we send to you.
Sign up to our newsletter