EU representation – what UK businesses need to know

Nicky Whiting Headshot
Written by Nicky Whiting  Head of Consulting

28/06/2021

The EU, Brexit, GDPR... and you

EU representation isn’t a new thing – it’s a core component of the GDPR – but it has become something that UK companies need to be aware of post Brexit. Up until 31st December 2020, UK companies didn’t need to worry about having an EU representative, as the UK was a part of the EU. Now things have changed, and many UK businesses need to find an EU data representative in order to maintain compliance with EU GDPR.

EU representation isn’t a new thing – it’s a core component of the GDPR

What is an EU representative?

The purpose of an EU representative is to be a point of contact for both the data subjects based in the EEA and the Supervisory Authorities in the EEA. Effectively, an EU representative must be able to represent a company regarding its obligations under the EU GDPR. They can be an individual or a company (e.g. law firm, consultancy or other private company), and will have to be mentioned on privacy notices so that people based in the EEA know who to contact if they wish to exercise their rights under the GDPR. Equally, they will also hold and maintain any records of processing for a company and make these available to the Supervisory Authorities as required.

Eu flag with a shirt and tie next to it

When do I need an EU representative?

You need an EU representative if your business:

  • Offers goods and services to the EU
  • Monitors people in the EU
  • Doesn’t have an office, branch (or other establishment) in the EU

There are some exceptions to be aware of here, so you don’t need an EU representative if

  • You’re a public authority

Or

  • The processing is only:

    • Occasional
    • Of low risk to the data protection rights of individuals
    • Doesn’t involve the large-scale use of special category data
    • Doesn’t involve the large-scale use of or criminal offence data

The more formal wording used as used in the GDPR itself can be viewed here.

Clipboard with checklist icon

Want to find out more about GDPR?

Bulletproof has helpful free resources for organisations looking to find out more about GDPR. Why not download our educational white paper, watch our insightful webinar featuring our Head of Compliance, or view our interesting infographics?

What about a UK representative?

As the saying goes, what’s good for the goose is good for the gander. And sure enough, following Brexit, there’s now the need for companies based outside of the UK to have a UK representative to maintain compliance with UK GDPR. The rules and exclusions are the same as mentioned above:

Non-UK businesses need a UK representative if your business:

  • Offers goods and services to the UK
  • Monitors people in the UK
  • Doesn’t have an office, branch (or other establishment) in the UK

As with before, the exclusions are essentially the same, so a UK representative isn’t needed if either:

  • You’re a public authority

Or

  • The processing is only:

Occasional

  • Of low risk to the data protection rights of individuals
  • Doesn’t involve the large-scale use of special category data
  • Doesn’t involve the large-scale use of or criminal offence data
Two business men figures shaking hands on a GB flag suitcase label

Where should an EU representative be based?

The ICO states that the EU representative should be based in a country where (some of) your data subjects are located. Obviously, if you process personal data of data subjects located across the EU, you will need to decide as to the best place to locate your EU representative, taking into consideration the volume of data subjects you have in each country, the need to be able to communicate with the data subjects and Supervisory Authorities in their language, and where the representative can most effectively fulfil their role. However, if you’ve only got customers in, say, Spain, you should locate your representative in Spain.

Road signs with EU & UK Flags pointing in different directions

What do you need to do to appoint an EU representative?

Once you’ve determined the best location for your EU representative, you need to appoint an EU representative officially by confirming the appointment in writing. Make sure you keep the ‘EU Data Representative Appointment Letter’ on file. You’ll also need to have a contract in place to ensure their role is clearly defined, reporting lines are in-place, and so on. Note that having a representative does not affect your own liability or responsibilities under the EU GDPR.

Once you have appointed a representative, you need to make sure you update your privacy notices to provide their contact details so that data subjects and the Supervisory Authorities are able to contact them – this is in addition to any other contacts you have on your privacy notice e.g. your UK contacts.

Once you’ve determined the best location for your EU representative, you need to appoint an EU representative officially.

Can my DPO be my EU representative?

Simply put: no.

Whilst this might seem like a handy shortcut at first, the European Data Protection Board issued guidance back in November 2018 saying that there was a clear conflict of interest if the Data Protection Officer (DPO) was also the EU representative. Plus, DPOs often have their hands full dealing with data subject access requests and reporting breaches, amongst much else. On the subject of data breaches, find out what Bulletproof DPOs thought of the biggest data breaches of 2020 and what lessons businesses could learn.


Summary card header

In Summary

In this blog we learnt:

  • Barring a few exceptions, representation is a necessary part of GDPR compliance

  • It applies to companies who aren’t based in the EU but want to continue business operations there

  • Your EU representative must be in a location where your data subjects are

  • You must include the representative’s contact details in your privacy notices

  • The same goes for non-UK businesses operating in the UK

  • Your DPO can’t also be your EU/UK representative



Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.