TWO GDPRs – EU & UK

Since 1st January 2021, there have effectively been two data protection legislations in Europe – the EU GDRP for individuals in the EU and the UK GDPR for individuals in the UK. Where businesses process both types of personal data, they need to comply with both legislations. This is especially true of the events and hospitality sectors, in which businesses process large volumes of personal data.

EU AND UK REPRESENTATIVES

The EU GDPR of May 2018 said that all companies (anywhere in the world) without an establishments within the EU that offer goods or services to, process the personal data of, or monitoring the behavior of individuals in the EU, will need to appoint an EU representative. An exemption applies if the processing is only ‘occasional’, but this generally would not apply to events and hospitality businesses, as they process large volumes of personal data from all over the world.

Since the end of the Brexit transition period on 31st December 2020, the UK has absorbed the EU GDPR into UK law, creating the UK GDPR. The main difference is that this applies to individuals within the UK – hence we now have two GDPR legislations. The UK GDPR mirrors the representative requirements of the EU GDPR.

This means that UK companies may now be required to appoint a representative in the EU/EEA, if they process the data of individuals in the EU and do not have an office in the EU/EEA.

Similarly, EU/EEA companies now may be required to appoint a representative in the UK, if they process the data of individuals in the UK and do not have an office in the UK.

International companies who have already appointed a representative in the EU/EEA may now be required to appoint a representative in the UK as well, depending on which data they process.

RESPONSIBILITIES OF A REPRESENTATIVE

Companies that need to appoint an representative must do so in writing, and update their privacy policy / notice with the contact details of the representative. The task of the representative include:

To remain accessible and facilitate communication between data subjects and the organisation
To maintain an up-to-date record of processing activities of the company
To co-operate with the GDPR supervisory authorities (ICO for the UK and DPA for the EU) in the event of any enquiries or investigations
To be the point of contact for data subjects within the territory (EU or UK)
NOTE: Supervisory authorities can pursue enforcement actions through the Representative for the non-compliance of the organisation they represent

Not sure if you need to appoint an EU or UK Representative?

POTENTIAL FINES

If a non-EU company needs to appoint an EU representative but fails to do so, this may lead to fines of up to EUR 10,000,000.00 or 2% of non-EU company’s annual group turnover, whatever is higher. Non-compliance with the obligation to appoint an EU representative is very easily visible, as the contact data of the EU representative generally needs to be provided within the privacy policy. Similar fines apply for non-UK companies that fail to appoint a representative when required to do so

Not sure if you need to appoint an EU or UK Representative?

ABOUT US

GDPRRep.co.uk is managed by Smartec Business Solutions, which specializes in technology and data solutions for the event and hospitality industry. Smartec is based in the UK and can provide both a UK representative, and an EU representative through partners based in the EU.

Not sure if you need to appoint an EU or UK Representative?

RESOURCES

The Effect of Brexit on UK / EU Data webinar:

To watch a 30-minute webinar created by Smartec, click on this link: https://app.boothted.com/smartecbs/Effect_of_Brexit_on_UK_EU_data_2

Simply enter your contact details on the login page – no password is required.

Webpage: https://www.smartecbs.com/resources/gdpr_after_brexit

CONTACT US

Please contact us if you have any queries about your requirements to appoint a representative in either the EU, UK or both. Or, if you require other GDPR services.