European Data Protection Representative

Article 27 General Data Protection Regulation

The United Kingdom finally transitioned out of the European Union on the 31st December 2020. Amongst many other implications for the UK, there is an impact on Data Protection legislation. Specifically, the requirements that the European Union’s (EU) General Data Protection Regulation (GDPR) make on organisations based in the UK. The trade deal forged by both sides has resulted in an agreement to permit the free flow of personal data between the UK and the EEA (at least for 6 months whilst we await an adequacy decision). The UK Government has also recognised existing adequacy decisions made by the European Data Protection Board to countries with ‘fit for purpose’ data protection frameworks outside of the EEA. This is good news for UK based organisations, but there is still at least one sting in the tail!

Article 27 of the GDPR requires that any organisation that is not ‘established ‘ in the EU and processes personal data of persons within the EU in the course of offering goods or services, appoint a data protection representative in the EU.

So, if your business or organisation is ‘established’ in the EU, then providing you fit the criteria of ‘established’ as laid down in Article 3.1 of the GDPR then you can probably stop reading. However, if you are not, and you offer goods or services (whether on payment or not), to persons in the EU, then read on.

The obligation is for data controllers or data processors to designate a representative in the Union, in writing. There are exemptions to this obligation, which means there is no requirement if:

  • Processing is occasional, does not include, on a large scale, processing of special categories of data or data relating to criminal  convictions, and is unlikely to result in a risk to the rights and freedoms of natural persons…… or,
  • A public authority or body.

The representative shall be established in one of the member states where the subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are situated.

The representative will become your point of contact in the members state(s) where you are operating for the supervisory authority for that area and for data subjects themselves, so they can exercise their rights.

Compliance and Privacy Solutions has teamed up with a leading EU Representative service called DataRep. DataRep has been offering this service since 2017 so is very experienced in the GDPR era and offer affordable solutions starting at €150 per year. DataRep is the only company offering representation in 29 EU and EEA countries.

Our relationship with DataRep means we can provide you a discount code giving you 10% off your first year’s fee. Get in touch at contact@caps-ltd.co.uk to arrange a no obligation consultation and receive your 10% discount code should you decide to go ahead.