Authorised Representatives under GDPR

Joanna Boag-Thomson and Rachel Brooks discuss when organisations based outside the EU require an EU representative, what they do under the GDPR and the potential disruption that Brexit may have upon the UK's data protection regime.

5th October 2022

The General Data Protection Regulation (GDPR) has an extraterritorial scope of application, meaning that companies based outside of the EU but doing business within the EU will often be subject to the GDPR regime. This applies in respect of both controllers and processors. 

When is an EU representative required?

One requirement of the GDPR regime is for an organisation that does not have an establishment on the ground (such as an office) in the EU to appoint an authorised representative. Under the GDPR, an EU representative must be established in a member state of the EU. 

While a representative is not always required, the threshold is low and will be met when a company which is not established in the EU offers goods or services to individuals or monitors the behaviour of individuals in the EU. An authorised representative will likely be required in the following scenarios where personal data of EU citizens is collected:

  1. If an organisation is delivering goods or services to the EU;
  2. If an organisation accepts EU currency on its website or its website is in any of the EU languages; or
  3. If an organisation tracks any residents of the EU via, e.g. cookies.

Now that Brexit has taken effect, UK organisations that meet these criteria need to appoint an EU representative.

What does a representative do?

An authorised representative must be formally appointed to act on the organisation’s behalf with regard to its obligations under the EU GDPR. In practice, the easiest way to do this is via a service contract. This document will regulate the relations between the organisation and the representative, and helps the controller or processor to comply with their obligations under the relevant GDPR regime. 

An authorised representative, will undertake a number of tasks on behalf of an organisation. Some of these are direct obligations under the GDPR, such as:

  • The representative will facilitate communication between data subjects and the entity that is represented. Data subjects should be able to contact the representative if they have any queries or issues with how their personal data is being used or if they would like to submit a rights request. 
  • The representative will cooperate with the relevant supervisory authority and assist in the investigation of any complaints or enforcement action against an organisation. 
  • The representative should maintain a record of an organisation's processing activities and provide this when requested by a supervisory authority. To ensure that a representative has up-to-date information to hand, the controller or processor must provide their representative with accurate and updated information. 

Data protection authorities can (and do) impose fines on an organisation for failing to appoint an authorised representative – for example, in June 2021 the Dutch Data Protection Authority fined a non-EU website provider €525,000 for its failure to appoint and act in compliance with its GDPR obligations including failure to appoint an EU representative. 

UK divergence?

Following Brexit, the UK has mirrored the EU GDPR regime. While the EU GDPR no longer applies directly in the UK, it has been effectively duplicated in UK law via the UK GDPR. This means that a UK representative needs to be appointed where the personal data of UK citizens is collected and processed by non-UK organisations in similar circumstances to those mentioned for an EU representative. 

In July 2022, however, the UK Government's Department for Digital, Culture, Media and Sport (DCMS) introduced a bill to the UK Parliament that would have made significant changes to the UK's data protection laws. One such proposed change was the abolition of the requirement to appoint an authorised representative of an organisation outside of the UK using the data of UK subjects as outlined above. 

The second reading of the bill was cancelled following the appointment of the new Prime Minister, Liz Truss, and we now have an announcement at the Conservative Party conference (in October 2022) from the new Minister for Culture, Media and Sport (Michelle Donelan) suggesting that the new Cabinet will go further with the reforms. We will continue to closely monitor any proposed changes to the UK's data protection regime and stand ready to advise if and when these are implemented. 

Shepherd and Wedderburn LLP, and our Irish subsidiary Saltire Data Protection Services Limited, already act as authorised GDPR representatives in both the UK and the EU for a number of clients, with an experienced individual appointed as a point of contact to those who utilise this service. 

If you require similar support, or would like advice on whether your organisation needs to appoint an authorised representative under EU GDPR or UK GDPR, please contact Joanna Boag-Thomson, Partner in our media and technology team, or your usual Shepherd and Wedderburn contact.