Understanding the role of a representative under EU and UK GDPR after Brexit
Organisations in the UK and EU have been weathering a sea of changing legislation and uncertainty since the decision to leave the EU. In the case of data protection matters much remains undecided.
As things stand the EU GDPR has been incorporated into UK data protection law. This means that companies that complied with EU GDPR prior to 31st December 2020 will still comply with UK GDPR now that the transition period has ended.
There are, however, two key factors that may need to be considered on top of this. First, the issue of data flow between the EU and the UK, which was agreed in December 2020 by the EU and UK and forms the Trade and Cooperation Agreement. Second, the obligation organisations have to appoint a representative in the EU and UK.
Until the end of the transition period (31st December 2020) organisations based outside of the EU were obligated to appoint an EU representative for privacy matters if they would be processing personal data of European individuals, relating to “offering goods or services” to, or “monitoring the behaviour” of individuals in the EU.
Prior to 1st January 2021 the UK was in the EU and was an EU-based company. As a result UK companies were not affected.
On 1st January 2021, however, the UK left the EU and the circumstances became more complicated. In adopting our own version of the GDPR (which has the same obligation but from a UK perspective) there are now two legal provisions that could require a company to appoint a representative in the EU, the UK or even both.
Understanding the territorial scope - offering goods and services
To understand whether they need to comply with either or both of the UK and EU GDPR requires an understanding of the territorial scope of the legislation. This means fully understanding whether companies are offering goods or services to individuals in a specific region.
To determine this companies need to consider whether they are:
using languages spoken in a specific region
offering payments in the currency of a particular region
using online adverts, such as Google or Facebook, or other marketing to address a market in a particular region
using references or testimonials from a particular regional market
making reference to local addresses or phone numbers
use of top-level domains relevant to a particular regional market
providing regionally-based delivery services
providing a service of an international nature, such as certain tourist activities;
The EDPB has published guidelines as to what “offering goods or services” actually means within this territorial context and the ICO has also stated that they will provide guidance for specific issues.
Understanding what monitoring behaviour means
The second area for consideration, to understand whether they need to comply with either or both of the UK and EU GDPR, is the interpretation of what “monitoring an individual’s behaviour” means. Under Guideline 2/2018 not all online collection or analysis of personal data of individuals in the EU qualifies as “monitoring”. The EDPB is very specific about what it considers to be “monitoring” in this context, providing clear examples of data being collected and analysed for a specific purpose. This includes:
geo-localisation activities, in particular for marketing purposes
personalised diet and health analytics services online
market surveys and other behavioural studies based on individual profiles
monitoring or regular reporting on an individual’s health status
In conclusion - what does this mean?
This is a complicated set of requirements with many areas still under review. EU companies may now need to consider appointing a UK representative if they are targeting UK individuals. Similarly, UK companies may now need to assess whether they are required to appoint an EU representative, now that they have become a ‘third country’ from an EU perspective. Finally, those companies outside of both the UK and EU may need to consider whether they need to appoint two representatives, to satisfy both UK and EU law. UK-based representatives, used previously to satisfy the EU requirements may no longer be suitable.