Companies established outside the European Union are required to appoint an EU representative if they offer goods and services to individuals in the EU or monitor their behaviour. The European Data Protection Board guidelines 3/2018 provides guidance on what amounts to offering goods and services in the EU. Certain important exceptions apply in Article 27 GDPR.
The UK government has indicated that data controllers and processors located outside the UK will need to appoint a UK representative if they process the personal data of UK citizens.
The GDPR representative may be appointed in any EU state for the purpose of the whole EU. The representative must be appointed by the controller or processor in writing addressed to the supervisory authorities and data subjects.
The representative acts as an intermediary between the authorities and data subjects (persons the subject of the information) and the business outside the EU which processes or controls their data. The representative is to maintain certain records and make them available to the supervisory authorities
The UK government intends that after the transition period ends, the UK version of the GDPR will say that a controller or processor located outside the UK – but which must still comply with the UK GDPR – must appoint a UK representative.
Article 3 of the GDPR extends the regulation to data controllers and processors who are based outside of the EEA but are processing personal data of people within the EEA in connection with the offering of goods and services to them or for monitoring purposes. Paragraph 5 of Schedule 1 of the instrument retains this principle in the context of the UK. In practice this means that the UK GDPR will apply to a controller or processor who is based outside of the UK, but is processing personal data of people within the UK in connection with the offering of goods and services to them or for monitoring purposes. This entails extending the scope of the current regime (which currently apply extraterritorially to controllers and processors outside of the EEA) to certain processing by controllers and processors established within the EEA after the UK’s Exit.
Article 27 of the GDPR requires a controller or processor not established in the EEA to designate a representative within the EEA in certain circumstances where they are processing the personal data of data subjects who are in the EEA. The requirement does not apply to public authorities or to controllers/processors whose processing is
only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
This provision has been retained in the UK GDPR but changed, by the amendment in paragraph 21 of Schedule 1, so that it applies to a controller or processor outside of the UK, who will be required in certain circumstances to designate a representative in the UK. The representative can be contacted by supervisory authorities and/or data subjects, instead of or in addition to the data controller/processor, on all issues related to data processing, for the purposes of ensuring compliance with the UK GDPR.