Updated: Aug 25, 2021
If you run a UK business with a client base in the EEA (EU countries plus Norway, Liechtenstein and Iceland) it is likely you will need to appoint an EU Data Representative, a requirement which came into effect on the 1st Jan 2021 under the EU-UK Trade and Cooperation Agreement.
Will this affect your business?
Yes, if you
· have no offices, branches or other establishments in the EU/EEA.
· process data of individuals in the EU/EEA on a regular basis or monitor their behaviour.
Are there any exceptions?
Yes, data processors based outside the EU/EEA are exempt if
· they only process data very occasionally.
· they do not present risks to "rights and freedoms" of EU data subjects.
· they do not process sensitive personal data as in the special data categories.
· their organisation is a public body.
Here are some examples
If you are a retailer or service provider regularly selling to clients in the EEA and therefore hold a customer data base you will definitely need an EU Data Representative.
If you offer niche products via an online marketplace and sell these to individuals in the EEA a few times a year, then this would be negligible (according to Art. 27 Par. 2 EU GDPR), therefore you would not need to appoint one.
What are the fines in case of breach of GDPR?
The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
What are the responsibilities of an EU Data Representative?
In accordance with Article 27 and Article 30 EU GDPR the tasks comprise of
· the representation of your organisation before all supervisory data protection authorities in the EU/EEA.
· maintaining Records of Processing Activities (ROPA).
· notifying you of any changes regarding EU data protection legislation and other relevant data protection regulations in the EU.
· liaison with affected data subjects regarding requests or complaints.
· the endeavour to reach an out-of-court settlement in case of breach of GDPR.
This affects my business – what do I need to do?
Search for an EU Data Representative, this can be an individual or an organisation based in the EU/EEA. Your Representative will cover you for the whole EU/EEA, however, it might be an advantage to appoint one in the country you have the most dealings with.
The legal minimum requirement for the appointment would be by submitting a letter, which must include the following information: your company name and address, your EU Representative's name and contact details and a reference to the need for the appointment according to Article 27 EU GDPR.
Further, you should sign a service contract with your Representative governing the conditions of the appointment (pay, hours worked, termination notice, etc.), clauses balancing liability, an indemnity clause and an NDA.