Dealing with data in the EU…
We are regularly asked about dealing with data in the new world of trading post Brexit, as businesses continue to trade internationally. Whilst data protection compliance has become an important issue for businesses since the advent of GDPR and the Data Protection Act in 2018 there are issues that need to be addressed when dealing with data relating to EU nationals. In this article we look at some of the key questions about transferring or processing personal data internationally.
Following the end of the Brexit transition period can data be transferred from the UK to an EU member state?
Yes. The Data Protection Act 2018 allows for transfers of personal data from the UK to EU and EEA member states.
What about transfers from EEA countries to the UK?
On 28 June 2021 the EU Commission (the Commission) published an adequacy decision which recognises that the UK provides adequate protection for personal data under EU GDPR. This decision is expected to last until the end of June 2025 but could be withdrawn before this date if the Commission determines that UK data protection law no longer provides an adequate level of protection. Assuming that the adequacy decision is not withdrawn it will be reviewed by the Commission and extended for up to four years.
What if my business involves offering goods or services to individuals in the EU?
If you are based in the UK but do not have an office, branch or other establishment in any of the EU or EEA states then you need to continue to comply with EU GDPR.
EU GDPR imposes an obligation on you to appoint a representative in the EEA. This representative should be set up in an EU or EEA state where some of the individuals that you deal with are located.
The representative could be an individual, a company or another form of organisation established in the EEA.
Are there any exemptions to the requirement to appoint a representative?
Yes there are.
- If you only process data relating to EU individuals occasionally, your processing is of low risk to the individual and it does not involve the large scale processing of special category data or data relating to criminal offences; or
- You are a public authority.
If you are based outside the UK do you need to appoint a UK representative?
If you are based outside of the UK but do not have an office, branch or other establishment in the UK then you need to comply with UK data protection laws including the UK version of GDPR.
If you offer goods and services to UK individuals in the UK or you monitor the behaviour of individuals in the UK then you must appoint a representative in the UK. This representative can be an individual or a company or organisation established in the UK.
Does the representative need written terms of appointment?
Yes they do – whether they are in the UK or in the EEA.
What is the role of the representative?
The role of the representative is to represent you in connection with your data protection responsibilities for example in relation to the exercise of data subject rights and also to be a contact point for data protection authorities in the jurisdictions where data subjects are based.
The representative is required to keep a record of processing activities and this must be provided to relevant data protection authorities on request.
The representative should be identified in your privacy notice or any other information provided by you to the data subjects with reference to data protection.
Is the representative responsible for breaches by the entity that appoints it?
This question was recently considered by the High Court in relation to the UK representative of a US company. In that case the court ruled that the representative cannot be liable for the appointing company’s breaches.
For further advice in relation to data protection and dealing with data in the EU…Talk to Tollers on 01604 258558 and ask to speak to the specialists in our Corporate and Commercial team who will be happy to help and guide you through.