The Brexit Effect: The Requirement to appoint a Data Protection Representative

AUTHOR: NAOMI SCHEMBRI

Dr Naomi Schembri, an associate within the firm, writes about the requirement to appoint a data protection representative under both the EU and the UK GDPR (the “Regulations”) and the implications that this has on operators falling within the remit of the Regulations. The author delves into the requirement which has acquired even greater significance since the UK withdrew from the EU and adopted most of the GDPR text into its data protection laws to form what is nowadays referred to as the UK GDPR.

Published on 7th April, 2021

General Update

As the UK withdrew from the EU at the start of 2020, and with the status of third country being automatically conferred to it as a result of such withdrawal, a wave of uncertainty dominated over stakeholders, legislators and legal practitioners alike. In a data protection context, the effects of Brexit have been mostly felt in two core areas: the first being the continuation of data flows between the EU and the UK, and the second being the obligation to appoint a representative in line with Article 27 of the General Data Protection Regulation (EU 2016/679) (the “GDPR”).

The new year – with the Brexit transition period coming to an end – brought about some clarity in relation to how data may continue to flow between the EU and the UK, and this without significant interruptions notwithstanding the onerous requirements established by the GDPR for cross-border data flows.

Whilst the UK awaits a final decision on whether it will be granted adequacy status by the European Commission, and in an attempt to temporarily bridge the gap that has been created between the EU and the UK, the notorious Trade and Cooperation Agreement became provisionally applicable from 1 January 2021. This provides for an interim measure enabling transborder data flows between the EU and the UK which is to continue for a four-month period, which may be extended by a further two months upon agreement  unless an adequacy decision is granted before the expiry of such period. What this means in practice is that, throughout these six months, data between the EU and the UK may continue to flow freely without the need for the mechanisms for transfers of data to third countries contemplated under Article 46 of the GDPR.

The obligation to appoint a Representative – in the EU, in the UK or in both?

Data controllers and processors which fall within the territorial scope of the GDPR in accordance with Article 3(2) thereof, and this by virtue of them collecting and/or processing personal data of data subjects within the Union whilst not being themselves established in the EU/EEA – therefore nowadays also including UK operators – would be automatically obliged to appoint a representative in terms of Article 27 of the GDPR, the failure of which will render them in breach of the Regulation. With regard the UK, this obligation to appoint a representative in the Union will continue to subsist irrespective as to whether an adequacy status is eventually granted or otherwise, as the grant of adequacy will not work to cancel the third country status acquired by the UK as a result of its withdrawal from the Union.

Since, post-Brexit, the UK incorporated most of the provisions under the EU GDPR into its data protection laws to make up what is widely referred to as the ‘UK GDPR’, the obligation to appoint a representative, this time in the UK, has also, from 1 January 2021, similarly been placed on controllers and processors located in a third country – which, for the purposes of the UK GDPR, also refers to EU operators – when active in the UK market.

In simple terms, therefore:

  • Organisations established in the UK targeting data subjects in the EU/EEA market will most likely need to appoint a representative in the EU/EEA;
  • Organisations established in the EU (or elsewhere) targeting data subjects in the UK market will most likely need to appoint a representative in the UK; and
  • Organisations established outside the EU/EEA and the UK targeting data subjects in both the EU/EEA and the UK markets will most likely need to appoint two representatives, one in the EU and one in the UK.

When should a representative be appointed?

Article 27 of the UK GDPR mirrors Article 27 of the EU GDPR, and therefore both provisions bind operators in the same way – of course dependent on their respective territorial scope. The general rule is that the obligation under said Articles applies where the processing activities of a controller or processor established outside of the relevant territory relate to:

  1. the offering of goods or services to data subjects located in the Union and/or the UK, irrespective of whether the offering is against payment or not; or
  2. the monitoring of the behaviour of data subjects within the Union and/or the UK.[1]

There are however exceptions, in that the obligation to appoint a representative in the relevant territory shall not apply whenever:

  • the processing is occasional, does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
  • the controller is a public authority or body.

What is the role of a representative and who may act as one?

The representative should be appointed directly by the third-country controller or processor to act on its behalf in complying with data protection obligations within the relevant territory, as well as to serve as the primary point of contact between it and enquirers from said territory. The representative shall, to an extent, act as the lunga manus of the controller or processor, particularly in dealing with any requests as may be submitted by data subjects and by supervisory authorities on all issues related to the processing activities undertaken in a way which ensures compliance with the GDPR.

The GDPR requires that an EU representative shall be established in the Member State where the targeted data subjects are located – or where the majority of them are. Any appointed representative can be either a natural or legal person. There are no specific requirements in this regard. However, a DPO may not act as a representative and this in view of the inherently conflicting nature of the two roles, in that a DPO needs to carry tasks in an independent manner, whilst the representative is acting upon instructions of its mandator.

Implications for EU operators

EU operators without an establishment in the UK, which have up until recently given little to no attention to the obligation to appoint a representative under Article 27 of the GDPR, may – as a result of Brexit and the adoption of said obligation into the UK GDPR – need to appoint a representative within the UK should they wish to continue operating within its market and targeting data subjects in that area. This should be subject to careful consideration and assessment to ensure that no laws – be it European or otherwise – are breached as a result of the processing of personal data within the particular territory. Otherwise, burdensome consequences on the relevant controller or processor will most likely follow.

[1] The interpretation of these criteria is subject to the EDPB’s guidelines on the territorial scope of the GDPR (Guidelines 3/2018). Even though these guidelines will not be directly relevant to the UK anymore, the ICO have formally recognised that they shall continue to be referred to as providing helpful guidance when interpreting the UK GDPR.

For more information on how we may assist with any of your data protection needs, please contact:

Dr Emma Grech, Partner –

emma.grech@thecitylegal.com

Dr Naomi Schembri, Associate –

naomi.schembri@thecitylegal.com

DISCLAIMER: The information contained in this document does not constitute legal advice or advice of any nature whatsoever. Although we have carried out research to ensure, as far as is possible, the accuracy and completeness of the information contained in this article, we assume no responsibility for errors or other inconsistencies herein.