Frequently Asked Questions on the UK privacy law
Your guide for the UK Privacy Representation Program
Since GDPR is an EU regulation, it will generally no longer be applicable in the UK after Brexit. However, the UK government has incorporated the GDPR into UK data protection law. So, from January 1st, 2021, onwards, the UK version of the GDPR, the “UK GDPR”, will be effective and companies will have to comply with it.
Most requirements remain the same as in the EU GDPR, so companies that already are compliant with the EU GDPR will not have to make major amendments to comply with the UK GDPR. However, doing transborder business might lead to additional requirements such as appointing a UK representative or ensuring compliance regarding international data transfers to and from the UK.
The UK government already stated that from January 1st, 2021 onwards, companies who are located outside of the UK, whether in the EU or in a third country, and have no offices, branches, or other establishments in the UK, will have to appoint a UK representative, if they are processing personal data of individuals in the UK that relates to either:
-
offering goods or services to individuals in the UK; or
-
monitoring the behavior of individuals in the UK.
Resources: ICO FAQs UK representatives,
The EDPB has published guidelines on the territorial scope of the GDPR and appointing a representative (Guideline 3/2018). Even though these guidelines will not be directly relevant to the UK law anymore, the ICO stated that they still provide helpful guidance when dealing with specific issues. Hence, when determining the territorial scope of the GDPR the EDPB guidelines can help, as long as the UK government does not adopt new regulations concerning this topic. According to these guidelines, different factors are considered when determining if a company is offering their goods or services to individuals in the EU. Some factors to be considered, adjusted to a UK-only application would be:
- using language that is used in the UK and offering the UK currency GBP;
- using ads to address UK individuals or other marketing tools directed to UK customers;
- mentioning addresses or phone numbers to be reached from the UK;
- use of UK top-level domains;
- offering the delivery of goods to the UK.
Again, the guidelines of the EDPB can help to assess whether a company is monitoring the behaviour of UK individuals, as long as the UK government does not adopt new regulations (Guidelines 03/2018). According to the EDPB guidelines, monitoring can take place both on the internet and through wearables and other smart devices. Some examples of monitoring activities would be:
- behavioural advertisement
- geo-localisation activities
- online tracking by using cookies or other tracking technologies
- market surveys and other behavioural studies based on individual profiles
- CCTV
If you are a public authority, there is no need for you to appoint a representative. Also, if your company fulfills the following criteria, there is no obligation to appoint a UK representative:
- You are processing personal data only on an occasional basis; and
- the data processing is of low risk to the data protection rights of the data subjects; and
- there is no great extent of processing special categories of data or data concerning criminal offences.
Generally speaking, it is very hard for companies to fulfill all criteria mentioned above which is why they are hardly ever able to take advantage of this exemption.
Resources: ICO FAQs UK representatives,
You representative may be an individual, a company or an organization that is established in the UK. Since Prighter has a new office in the UK, we are able to do UK representation and are pleased to offer our UK representative services to your company.
Resources: ICO FAQs UK representatives,
Since your representative should be able to represent you regarding your legal obligations under the UK GDPR, choosing a law firm or a consultancy company, who has experience with data protection law, might be the best choice. The representative should be appointed in writing and will act on your behalf regarding your compliance with UK GDPR as well as functioning as a local contact point for UK data subjects and the UK supervisory authority, ICO.
Resources: ICO FAQs UK representatives,
Do UK companies need an
Art 27 GDPR representative in the EU?
Generally, companies which have no offices, branches or other establishments in the EU/EEA need an Art 27 GDPR representative if they are:
-
offering goods or services to individuals in the EU/EEA; or
-
monitoring the behavior of individuals in the EU/EEA.
Since the UK is no Member State after Brexit anymore and consequently an establishment in the UK does not count as an EU/EEA establishment anymore, this general rule will oblige UK companies, who fulfil the criteria above, to appoint an Art 27 GDPR representative. So, if you are an UK company that reaches out to the EU/EEA market without having an establishment within the EEA, you will be required to appoint an Art 27 representative.
For any further questions concerning the appointment of an Art 27 GDPR representative please see our Art 27 GDPR FAQ:
Resources: Statement on the end of the Brexit transition period,
If you are a public authority, you do not need to appoint a representative. Also, if you meet all following criteria, you are exempted from this obligation:
- You are processing personal data only on an occasional basis; and
- the processing is of low risk to the rights of the data subjects; and
- the processing does not involve large-scale usage of special categories of data or criminal offence data.
Double Representation
Companies which are established outside the UK and the EU/EEA and neither have an establishment within the UK nor the EU/EEA but are
-
offering goods or services to individuals in the UK and the EU/EEA; or
-
monitoring the behavior of individuals in the UK and the EU/EEA.
will have to appoint two representatives, in both the EU and the UK, in order to comply with EU regulations on one hand, and UK regulations on the other.
Since Prighter has offices in the EU as well as in the UK, we are able to offer you both, EU representation as well as UK representation.
EU-UK Data transfer
An adequacy decision is a formal decision made by the European Union, basically recognizing that another country/territory/sector/international organization provides the same level of protection of personal data as the EU does. The good thing about an adequacy decision is that it allows data to be transmitted from an EEA state to a third country without any additional safeguards being necessary.
After the transition period, data transfer from the EU to the UK is considered a third country transfer under the GDPR. Besides an adequacy decision, there are two other provisions by the GDPR. Data may be transferred based on “appropriate safeguards” or “derogations”. The ICO recommends businesses who receive data from the EEA to put in place alternative safeguards before the end of April, in case no adequacy decisions are adopted.
Resources: EUROPEAN COMMISSION: Notice to Stakeholders, Information rights at the end of the transition period - Frequently Asked Questions | ICO
As of now, data transfers from the UK to the EU are permitted. Also, the UK government recognizes adequacy decisions that were adopted by the EU before the end of the transition period. This allows restricted transfers from the UK to most countries/territories/sectors covered by EU adequacy decisions.
Resources: Information rights at the end of the transition period - Frequently Asked Questions | ICO