New data protection law in the UK: The UK representative

Obviously, the British people have not been satisfied with the EU. However, the GDPR was probably no ground to complaint, as now a "UK -GDPR" was put into effect on 1 January 2021 containing very similar rules comparing to its predecessor.

The UK representative

Among others, the UK GDPR includes the requirement of a 'representative', the one introduced under Article 27 GDPR that applies to companies not established in the EU.

Companies that do not have a place of business in the UK but offer goods or services to individuals in the UK or monitor the behaviour of individuals within the UK shall appoint a representative under Article 27 of the UK GDPR. This obligation applies to but is not limited to online providers and IT companies that process personal data for their customers. It applies even if the IT company is carrying out the processing solely by order, which means that the data will be processed on behalf of a third party only.

Similarly to the European model, the UK representative shall act as a local contact person and, if necessary, shall communicate with the British Information Commissioner's Office as the responsible data protection authority. He/she is also the delivery agent for all communications relating to data protection in the UK. This is to avoid losing too much time in cross-border communication.

Qualification of the representative

The representative may be a company or an individual established or resident in the UK and it need to be notified to British Information Commissioner's Office in writing. He/she shall have access to the company's records of processing activities (Article 30 GDPR) and be fully authorised to act on the company's behalf. Hence, he/she shall be an expert in the field of data protection law. He/she shall also be listed in the company's data privacy policies with his/her contact details.

Possible sanctions

The penalties for a breach of the UK GDPR are likewise draconian as those under the GDPR: Fines up to GBP 8,700,000 or 2% of a company's annual worldwide turnover may be imposed. Thus, personal data of persons from the United Kingdom should enjoy the same level of protection and the same principles should be applied as under the GDPR.

Autor: Beatrix Fakó