Understanding the role of a representative under EU and UK GDPR after Brexit

Organisations in the UK and EU have been weathering a sea of changing legislation and uncertainty since the decision to leave the EU. In the case of data protection matters much remains undecided.

 

As things stand the EU GDPR has been incorporated into UK data protection law. This means that companies that complied with EU GDPR prior to 31st December 2020 will still comply with UK GDPR now that the transition period has ended.

 

There are, however, two key factors that may need to be considered on top of this. First, the issue of data flow between the EU and the UK, which was agreed in December 2020 by the EU and UK and forms the Trade and Cooperation Agreement. Second, the obligation organisations have to appoint a representative in the EU and UK.

 

Until the end of the transition period (31st December 2020) organisations based outside of the EU were obligated to appoint an EU representative for privacy matters if they would be processing personal data of European individuals, relating to “offering goods or services” to, or “monitoring the behaviour” of individuals in the EU. 

 

Prior to 1st January 2021 the UK was in the EU and was an EU-based company. As a result UK companies were not affected. 

 

On 1st January 2021, however, the UK left the EU and the circumstances became more complicated. In adopting our own version of the GDPR (which has the same obligation but from a UK perspective) there are now two legal provisions that could require a company to appoint a representative in the EU, the UK or even both. 

 

Understanding the territorial scope - offering goods and services

 

To understand whether they need to comply with either or both of the UK and EU GDPR requires an understanding of the territorial scope of the legislation. This means fully understanding whether companies are offering goods or services to individuals in a specific region. 

 

To determine this companies need to consider whether they are:

  • using languages spoken in a specific region

  • offering payments in the currency of a particular region

  • using online adverts, such as Google or Facebook, or other marketing to address a market in a particular region

  • using references or testimonials from a particular regional market

  • making reference to local addresses or phone numbers 

  • use of top-level domains relevant to a particular regional market

  • providing regionally-based delivery services

  • providing a service of an international nature, such as certain tourist activities;

 

The EDPB has published guidelines as to what “offering goods or services” actually means within this territorial context and the ICO has also stated that they will provide guidance for specific issues. 

 

Understanding what monitoring behaviour means

 

The second area for consideration, to understand whether they need to comply with either or both of the UK and EU GDPR, is the interpretation of what “monitoring an individual’s behaviour” means. Under Guideline 2/2018 not all online collection or analysis of personal data of individuals in the EU qualifies as “monitoring”.  The EDPB is very specific about what it considers to be “monitoring” in this context, providing clear examples of data being collected and analysed for a specific purpose. This includes:

  • behavioural advertisement

  • geo-localisation activities, in particular for marketing purposes

  • online tracking through the use of cookies or other tracking techniques such as fingerprinting

  • personalised diet and health analytics services online

  • CCTV

  • market surveys and other behavioural studies based on individual profiles

  • monitoring or regular reporting on an individual’s health status

 

In conclusion - what does this mean?

 

This is a complicated set of requirements with many areas still under review. EU companies may now need to consider appointing a UK representative if they are targeting UK individuals. Similarly, UK companies may now need to assess whether they are required to appoint an EU representative, now that they have become a ‘third country’ from an EU perspective. Finally, those companies outside of both the UK and EU may need to consider whether they need to appoint two representatives, to satisfy both UK and EU law. UK-based representatives, used previously to satisfy the EU requirements may no longer be suitable.

 


 

If you would like to discuss this or your data processing agreements you can contact one of our data protection specialists here