Organisations that supply into the UK and/or the EU but have no footprint in those markets should carefully assess whether they need to appoint a representative to comply with the GDPR and UK data protection law. Failure to appoint a representative where one is required could expose overseas businesses to a substantial fine and reputational damage.
Does my organisation need a representative?
If your organisation is established outside the EU and supplies goods or services into the EU then you need to appoint an EU representative. The same principle applies in a UK context where an organisation makes supplies into the UK but has no establishment in the UK. These requirements apply to controllers and processors.
Overseas businesses that have no footprint in the UK or the EU and supply into both markets will need a UK representative and an EU representative.
What is the role of a representative?
A representative acts as a local point of contact for the entity it represents and can communicate on its behalf with data protection authorities and data subject. The core functions of a representative include:
understanding an organisation’s processing activities
maintaining records of processing activities
cooperating and providing information to data protection authorities
A representative may be a company or an individual but their appointment must be in writing.
What liability does a representative have?
Whilst a representative is accountable for any violation of its obligations under data protection law, the appointment does not create ‘representative liability’, as the High Court ruled in Rondon v LexisNexis Risk Solutions UK Ltd. In its decision the court reasoned that a representative would not be directly liable for a breach by the entity it represents. The decision applied in the context of an EU representative but reflects the view of the ICO on the subject and so it should also apply in a UK context.
What are the risks?
Failing to appoint an EU representative could expose your organisation to a fine of up to €10 million or 2% of your organisation’s total worldwide annual revenue. Expect similar fines for a failure under UK data protection law.
There are indications of increased activity from data protection authorities in this space. On 12 May 2021, non-EU based website provider ‘Locatefamily.com’ was fined €525,000 by the Dutch Data Protection Authority for its failure to appoint an EU representative. The fine sends a strong signal to overseas business that they must take the requirement to appoint a representative very seriously.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.