What Is a UK Representative and Why Do You Need One?

Natacha has held a number of high-level positions within the Foreign Office including Deputy Ambassador to China and a Director responsible for economic diplomacy and Emerging Powers. She has also worked in global trade policy and international issues.

Companies that are not based in the UK must comply with UK privacy laws. They must appoint a representative in the UK who will be their point of contact for data subjects and ICO.

What is an UK representative?

The UK Representative is a person, company or organization that has been mandated by a data processor or controller to act in their behalf in all matters related to GDPR compliance. They will be the main contact for all queries from individuals exercising rights or requests from supervisory authority. They may be subject to national requirements that have been implemented due to the GDPR's extraterritorial reach (see the UK case Rondon against LexisNexis Risk Solutions).

The EU GDPR Article 27 and its UK equivalent, Section 3.2.2 of the Data Protection Act 2018, require the appointment of an official representative. This requirement applies to all companies that do not have a permanent presence in the United Kingdom but offer goods or services or observe the actions of individuals located there, or who process personal data. The representative must be able to show evidence of their identity and that they are capable of representing the data controller or processor in respect to the UK GDPR's requirements.

In addition to acting as a means for individuals to exercise their GDPR rights as well as a means for individuals to exercise their rights under GDPR, the representative must also capable of communicating with authorities in the event of an incident. The Representative must notify the supervisory authority who appointed them, regardless of whether or not the breach affects individuals in multiple jurisdictions.

It is recommended that the representative has worked with both European and UK-based authorities for data protection. It is also desirable to are fluent in the local language because they are likely to receive contact from both individuals and data protection authorities in the countries in which they work.

The EDPB declares that the Representative is responsible for any non-compliance. However, the UK case of Rondon v. LexisNexis UK Ltd. (2019) EWHC1427 affirmed that a representative can't be sued by anyone who believes that the controller of the data did not meet the GDPR requirements in the UK. The court concluded that the Representative did not have a direct connection to the processing of data by the represented entity.

Who should be appointed a UK Representative?

To be in compliance with the EU GDPR, companies outside of the EU who are aiming their goods or services towards European citizens, but do NOT have an office, branch, or establishment within the EU must designate an EU Representative. This is in addition to requirements of the national data protection laws. The role of a representative is to be a local point-of-contact for individuals and supervisory bodies regarding GDPR-related issues.

The UK has similar requirements to the EU, which is outlined in Article 27 of UK-GDPR. The threshold is the same as that of the EU requirement: any organisation providing goods or services within the UK or monitoring the behavior of individuals who are data subjects, must designate an UK Representative.

Under the UK-GDPR, a representative must be mandated in writing "to be, additionally or alternatively addressed, on behalf of the controller or processor by data subjects and the [British Information Commissioner's Office]". They cannot be held personally responsible for GDPR compliance. However they must cooperate with supervisory authorities in formal proceedings and also receive communications from data subjects exercising their rights (access request, right to be forgotten, etc. ).

Representatives must be situated within the EU member state where the people whose data are processed reside. In most cases this isn't an easy decision to make and a thorough analysis of legal and business aspects is required to determine the location(s) best suited to an organization. This is why we provide an individualized service that assists companies in assessing their requirements and selecting the best Representative option.

It is also recommended that Representatives have experience interacting with supervisory authorities as well as handling inquiries from data subjects. Local language skills can also be essential, as the job could involve dealing with requests from data subjects or supervisory authorities across Europe.

The identity of the representative should be made clear to the individuals who are data subjects by incorporating their information in privacy policies and information provided to individuals before collecting their personal data (see Article 13 of the UK-GDPR). Contact information for the UK Representative should be posted on your website so that supervisory authorities are able to easily contact them.

When do you need to appoint an UK Representative?

If your organisation is located outside the UK and provides products or services in the UK or monitors the behaviour of individuals, you may be required to appoint a UK avon cosmetics representative. The UK's Applied EU GDPR regime is applicable to non-UK established companies that are performing activities in the UK. It has the same reach as EU GDPR, with limited exceptions. You should take our free self-assessment and find out if you are subject to this obligation.

A Representative is appointed by the appointing party under an agreement of service to represent that party with respect to certain obligations under the UK GDPR and EU GDPR, if applicable. In the UK the primary goal of this is to facilitate communication between the appointing party and the Information Commissioner's Office (ICO) or any affected data subjects in the UK. A Representative could be an individual or a company with a UK base. The appointing body must make it clear to individuals who are data users that their personal data will be processed by the Representative, and the identity of that person or company should be made easily accessible to supervisory authorities.

According to Articles 13 and 14 of the UK GDPR the entity that is appointed as the representative is also required to provide the contact details of its representative to the ICO as well as the data subjects in the UK. It must make it clear that the function of a Representative is distinct from and UK Representative not compatible with the duties of a Data Protection Officer ("DPO"), which requires a level of independence and autonomy that cannot be provided by a representative.

If you have to designate an official from the UK representative the process should be completed in the earliest time possible. This is because the requirement will be in effect immediately after Brexit (if there is a 'hard' or 'no deal' Brexit) or after an implementation period (if there is a soft or "with deal" Brexit). There is no grace period.

What are the prerequisites to becoming a UK representative?

According to UK laws on data protection A representative is a person or a company who is "designated" in writing by an entity which has no physical presence in the UK but is subject to the law. The UK representative should be competent to represent the company in compliance with its obligations under the law and their contact information must be readily accessible to anyone who reside in the UK who have personal data being an avon representative processed by the non-UK-based business.

The UK Representative must be an overseas senior member of a media or business company, and have been hired and employed as an employee by the media or business entity located outside the UK. The visa applicant must genuinely intend to be employed full-time as the UK Become avon Representative for the business or media organisation, and they are not allowed to engage in any other business activities in the UK.

Additionally the visa applicant must demonstrate that they possess the necessary skills and experience to fulfill their role as UK Representative which includes serving as the local point of contact for queries from data subjects and the UK data protection authorities. This is to ensure that the UK Representative has sufficient knowledge of and understanding of the UK data protection laws and can be able to respond to requests from individuals exercising their rights under the law in addition to any other inquiries or requests received from data protection authorities.

As the Brexit process moves forward and the process continues, it is likely that UK laws on data protection will change in the future. At the moment, however, it is expected for non-UK companies that do business in the UK and handle personal information on individuals within the UK to choose UK representatives.

This is because the UK GDPR requires that entities that do not have a UK presence must appoint a representative in accordance with article 27 of the UK GDPR which has been incorporated as a national law in the UK. If you are not sure whether you are required to nominate the position of a UK data protection representative It is suggested that you consult an experienced lawyer.